Security guide (MuWeb 8.0)

Subject: Security guide (MuWeb 8.0) Sun Nov 16, 2008 1:30 am

XAMPP

Download+Guide

-Pentru
inceput instalati XAMPP-ul.
-Faceti urmatoarele:

Deschideti C:\xampp\apache\bin\php.ini
Cautati safe_mode = off si modificati cu safe_mode
= on
Cautati safe_mode_gid = off si modificati cu
safe_mode_gid = on

Deci... in prim-ul rand
va voi explica care sunt "gaurile" (bug-urile) muweb-ului 8.0.

#
Name | How to fix

- includes/search_acc_admin.php | Delete
- includes/search_chr_admin.php | Delete
- includes/search_ip_admin.php | Delete
- administrator.php | Rename-Explicatia mai jos
- Administrator | Rename-Explicatia mai jos
- Modules/User/ALL FILES
| Anti-SQL-Code-Mai jos
- Modules/search.php
| Delete
- Modules/register.php | Anti-SQL-Code-Mai jos
- Modules/statistics.php |
Delete-Asta pana gasesc alta solutie.

// Si inca
cateva chestii din modules... care trebuie protejate prin codul anti inject ,
cele pe care le puteti edita sunt deja aici.

* De
obicei uni dintre voi bagati codul anti-inject in index.php ceea ce nu mereu are
efect , cel mai bine si mai sigur se introduce in config.php!

Anti-SQL-Injection , efficient 100% (testat aici: http://86.107.238.211
)

Cod:

<?php
$ip = $_SERVER['REMOTE_ADDR'];
$time
= date("l dS of F Y h:i:s A");
$script = $_SERVER[PATH_TRANSLATED];
$fp
= fopen ("D:/MuServer/[WEB]SQL_Injection.txt", "a+");

$sql_inject_1 =
array(";","'","%",'"'); #Whoth need replace
$sql_inject_2 = array("",
"","","""); #To wont replace
$GET_KEY = array_keys($_GET); #array
keys from $_GET
$POST_KEY = array_keys($_POST); #array keys from $_POST

$COOKIE_KEY = array_keys($_COOKIE); #array keys from $_COOKIE
/*begin
clear $_GET */
for($i=0;$i<count($GET_KEY);$i++)
{
$real_get[$i]
= $_GET[$GET_KEY[$i]];
$_GET[$GET_KEY[$i]] = str_replace($sql_inject_1,
$sql_inject_2, HtmlSpecialChars($_GET[$GET_KEY[$i]]));
if($real_get[$i] !=
$_GET[$GET_KEY[$i]])
{
fwrite ($fp, "IP: $ip\r\n");
fwrite ($fp,
"Method: GET\r\n");
fwrite ($fp, "Value: $real_get[$i]\r\n");
fwrite
($fp, "Script: $script\r\n");
fwrite ($fp, "Time: $time\r\n");
fwrite
($fp, "==================================\r\n");
}
}
/*end clear
$_GET */
/*begin clear $_POST */
for($i=0;$i<count($POST_KEY);$i++)

{
$real_post[$i] = $_POST[$POST_KEY[$i]];
$_POST[$POST_KEY[$i]] =
str_replace($sql_inject_1, $sql_inject_2,
HtmlSpecialChars($_POST[$POST_KEY[$i]]));
if($real_post[$i] !=
$_POST[$POST_KEY[$i]])
{
fwrite ($fp, "IP: $ip\r\n");
fwrite ($fp,
"Method: POST\r\n");
fwrite ($fp, "Value: $real_post[$i]\r\n");
fwrite
($fp, "Script: $script\r\n");
fwrite ($fp, "Time: $time\r\n");
fwrite
($fp, "==================================\r\n");
}
}
/*end clear
$_POST */
/*begin clear $_COOKIE */

for($i=0;$i<count>

* Desigur il bagati la inceput-ul liniei din config.php

** Acest script creaza automat in D:/MuServer
un fisier cu log-urile website-ului , adica toate ip-urile ce au incercat sa va
dea inject sau sa va "hacereasca" Security guide (MuWeb 8.0) Laugh

website-ul , fila se
numeste [WEB]SQL_Injection.txt .

Secure Administrator:

1.
-Deschide administrator.php cu
notepad, apasa Ctrl+H sau dute in Edit > Replace...
-La Find what
bagati: administrator , la Replace with bagati: orice alt cuvant sau 2
cuvinte sau cate vreti legate de "_" exemplu (Server_Admin sau ServerAdmin , nu
folositi "-" !!! ) si dati OK.

* Redenumeste
adminsitrator.php in ce ai bagat mai sus in loc de administrator, exemplu (In
loc de administrator.php vei pune Server_Admin.php)

2.
-Intra
in folder-ul administrator unde vei cauta "administrator" fara " ca in exemplele
de mai sus punand acelasi nume ca si mai sus exemplu (Server_Admin) mai jos
aveti o lista cu fisierele pe care trebuie sa le editati.

Citat:

- .htaccess > Nu
-
downloads.php > Da
- editaccount.php > Da
- editcharacter.php > Da

- events.php > Da
- findip.php > Nu
- logs.php > Nu
- news.php
> Da
- server.php > Da
- webshop.php > Da
-
website.php > Da

* Acum
redenumeste folder-ul administrator in ce ai folosit pana acum exemplu
(Server_Admin)

3. Ultim-ul pas:
- Dute in
includes/admin_functions.php si inlocuieste administrator cu ce ai
folosit mai sus, exemplu (Server_Admin) .
- Dute in
includes/admin_modules.php si inlocuieste administrator cu ce ai folosit
mai sus, exemplu (Server_Admin) .

Incerca si:

http://starmedia.myforum.ro/muonline-webside-security-tutorial-vt29740.html
> WebSite Security (E buna partea cu securitatea in XAMPP)
http://starmedia.myforum.ro/instalare-xampp-vt28960.html >
XAMPP Installation guide .

Download:
Aici aveti un MuWeb 8.0 deja
securizat!!! Trebuie doar sa urmati pas-ul cu securitatea administrator-ului si
sa editati config.php, admin_config.php, install/sql.php .

Install URL:
http://your_ip/install/install3.php

Mirror: http://www.netdrive.ws/101651.html
Mirror2: http://rapidshare.com/files/152804731/Secure_MuWeb_8.0.rar.html
_________________
TTeam
MuServer 97D+New Items (Golden Archer working)
https://2img.net/h/oi35.tinypic.com/1j9r2v.jpg
Coming soon.

» Asa faci site cu MuWeb 0.6 !
» Asa faci site de MuOnline cu MuWeb 0.8 !!!
» [Guide]Cum schimbi timpul pentru buffuri in L2