Auteur
developpeur
developpeur
Forum » » Sécurité » » [Résolu] - NPDS hacké
Posté : 22 avr. 2004 à 14:23 
remplace auth.inc.php par cette version SVP
<?PHP
/************************************************************************/
/* NPDS V : Net Portal Dynamic System . */
/* =========================== */
/* */
/* Original Copyright (c) 2001 by Francisco Burzi (fburzi@ncc.org.ve) */
/* http://phpnuke.org */
/* */
/* This version name NPDS Copyright (c) 2001-2004 */
/* */
/* This program is free software. You can redistribute it and/or modify */
/* it under the terms of the GNU General Public License as published by */
/* the Free Software Foundation; either version 2 of the License. */
/************************************************************************/
function Admin_alert($motif) {
global $admin;
setcookie("admin","",0);
unset($admin);
Ecr_Log("security", "auth.inc.php/Admin_alert : ".$motif, "");
echo "<html>\n";
echo "<body bgcolor=\"#FFFFFF\" text=\"#000000\">\n<br /><br /><br />";
echo "<center><img src=\"images/eyes.gif\" border=0><br /><br />\n";
echo "<font face=\"Verdana\" size=\"3\"><b>.: IP recorded :.</b></font></center>\n";
echo "</body>\n";
echo "</html>\n";
redirect_!url(!"admin.php");
die();
}
if ((isset($aid)) and (isset($pwd)) and ($op == "login")) {
if ($aid!="" and $pwd!="") {
$result=mysql_query("select pwd from authors where aid='$aid'");
if (!$result) {
Admin_Alert("DB not ready #1 : $aid");
} else {
list($pass)=mysql_fetch_row($result);
if ($system_md5) {
$passwd=crypt($pwd,$pass);
} else {
$passwd=$pwd;
}
if ((strcmp($passwd,$pass)==0) and ($pass != "")) {
$admin = base_64_encode("$aid:".md5($passwd));
if ($admin_cook_duration<=0) {$admin_cook_duration=1;}
$timeX=time()+(3600*$admin_cook_duration);
setcookie("admin","$admin",$timeX);
} else {
Admin_Alert("Passwd not in DB#1 : $passwd");
}
}
}
}
#autodoc $admintest - $super_admintest : permet de savoir si un admin est connecté ($admintest=true) et s'il est SuperAdmin ($super_admintest=true)
$admintest = false;
$super_admintest = false;
if ($admin!="") {
$Xadmin = base_64_decode($admin);
$Xadmin = explode(":", $Xadmin);
$aid = htmlspecialchars($Xadmin[0], ENT_QUOTES);
$AIpwd = $Xadmin[1];
if ($aid=="" or $AIpwd=="") {
Admin_Alert("Null Aid or Passwd");
}
$result=mysql_query("select pwd, radminsuper from authors where aid='$aid'");
if (!$result) {
Admin_Alert("DB not ready #2 : $aid");
} else {
list($AIpass, $Xsuper_admintest)=mysql_fetch_row($result);
if (md5($AIpass) == $AIpwd and $AIpass != "") {
$admintest = true;
$super_admintest = $Xsuper_admintest;
} else {
Admin_Alert("Password in Cookies not Good #1 : $AIpwd");
}
}
unset ($AIpass);
unset ($AIpwd);
unset ($Xadmin);
unset ($Xsuper_admintest);
}
?>
Cet article provient de NPDS
https://www.npds.org/viewtopic.php?topic=11188&forum=12