Access Denied Issues - Lower Patch Levels

Site Admin/Owner Joined: Feb 12, 2005 Posts: 945

Although I do not recommend running Nuke without the latest patch levels, which in some cases, may mean having to upgrade to a newer version of nuke (patch levels are no longer being maintained below 7.1 it appears). You can try and make the following edits to certain HTML_Newsletter scripts:

NOTE: in all of the below examples, if you find the following bit of code at the top of the HTML Newsletter php script, do NOT REPLACE IT!!!

Code:

if ( !defined('NW_HNL_LOADED') )
{
die("Illegal File Access");
}

Leave the above code alone, as it is properly protecting lower level, called scripts.

======================
Ok, here we go with the mods...

In block-HTML_Newsletter.php:

Find (or whatever your version of HTML Newsletter has that is similar at the top of the script):

Code:

if ( !defined('NUKE_FILE') ) {
if ( !defined('BLOCK_FILE') ) {
Header("Location: index.php");
die();
}
}

Replace with:

Code:

if (stristr($_SERVER['SCRIPT_NAME'], "block-HTML_Newsletter.php")) {
Header("Location: ../index.php");
die();
}

Within all files (admin related), check for the following code at the top:

Code:

if ( !defined('ADMIN_FILE') )
{
die("Illegal File Access");
}

If this code is found, replace with:

Code:

if (!stristr($_SERVER['SCRIPT_NAME'], "admin.php")) { die ("Access Denied"); }

In all module files (not admin related), find:

Code:

if ( !defined('MODULE_FILE') )
{
die("Illegal File Access");
}

And replace with:

Code:

if (!stristr($_SERVER['SCRIPT_NAME'], "modules.php")) {
die ("You can't access this file directly...");
}

Hope this helps, but I take no responsibility for running with an older version of nuke on an older, less protected, patch level. You have been warned!

Smile

Regards,
montego

Newbie Joined: Aug 17, 2005 Posts: 2

Hi Montego,

I started making the changes going through each file one by one.

What should I do with this:

if (!defined('NW_HNL_LOADED')) {
if (!defined('NUKE_FILE')) {
if (!defined('MODULE_FILE')) {
if (!defined('ADMIN_FILE')) {
die("Illegal File Access");
}
}
}
}

Site Admin Joined: Jul 18, 2005 Posts: 307

You could try

Code:

if ( !defined('NW_HNL_LOADED') )
{
die("Illegal File Access - You tried to access the module directly");
}
if (stristr($_SERVER['SCRIPT_NAME'], "block-HTML_Newsletter.php")) {
Header("Location: ../index.php");
die(Illegal file access - you tried to access this file outside of the block);
}
if (!stristr($_SERVER['SCRIPT_NAME'], "modules.php")) {
die ("You can't access this file module index.php directly...");
}
if (!stristr($_SERVER['SCRIPT_NAME'], "admin.php")) { die ("Access Denied - you do not have permission to access the admin file or are not logged in");
}

Site Admin/Owner Joined: Feb 12, 2005 Posts: 945

I had forgotten about that one! Ugly. I have been thinking of changing that one. I would do as Guardian has suggested. I was about to say take it out altogether, but then found it also in the NW_HNL_GetConfig.php script too. You can remove the code from NW_HNL_Functions.php with no added risk, but do as Guardian has suggested for the other one.

I am going to get rid of the GetConfig.php script in 1.3 and replace with a function within Functions.php. This will eliminate this ugly IF statement.

Thanks Guardian for the "assist"!

montego

Site Admin Joined: Jul 18, 2005 Posts: 307

Not much of an 'assist' Wink

- I just used the examples you had already posted and altered the error message itself accordingly - it is pretty meaningless for a message to say 'its broken', I personally prefer something that gives me a clue what might be wrong/which file was misbehaving but then my site is about 200Meg in size so all the help it can give me the better Smile

.

Newbie Joined: Aug 17, 2005 Posts: 2

Thanks for your help guys. I'll see if I can get it working today.

Site Admin Joined: Jul 18, 2005 Posts: 307

Did you get it working?