security evaluation -- admin panel

i am currently working to make the different administration areas for phpHaze manageable via the admin panel iself, sort of like an "admin panel's admin panel" 

in order to do this, no longer using a strict if-else statement, it will find the admin area's data from the database and parse the section accordingly based on various user access levels and etc..

my question however is, how secure is this new system? i use a core function to protect each individual page that is loaded:

note: defintions such as "ADMIN" and such are not shown here but are being used, and act as "/admin/" in the base directory

function admin_page($alevel, $pagefile, $errormsg){ 

global $logged, $settings, $id, $step, $blacklist_id, $status;

$aidaccess = isNum($logged['level']);

if ($aidaccess > $alevel) {

require_once ADMIN.$pagefile;

} else {

echo "<center>Your access level: ".$aidaccess.", your access type: ".getuserlevel($logged['id'])."<br />";

echo $errormsg."</center>";

}
}


now that of course is *only* where the page is being displayed inside of the admin layout for the actual full page. on to admin.php, which performs other checks before calling upon the admin_page function

Code:

<?php
if (eregi("admin.php", $_SERVER['PHP_SELF'])) die();
if (!defined("IN_HAZE")) fallback("index.php");
$e_msg['2'] = "You must be a moderator, staff member, or administrator to have access to this admin area.";
$e_msg['3'] = "You must be a staff member or administrator to have access to this admin area.";
$e_msg['4'] = "You must be an administrator to have access to this admin area.";
$a_sects = dbquery("SELECT * FROM haze_admin ORDER BY admin_name ASC");
if ($logged['username']){
$a_rows = dbrows($a_sects);
if ($_GET['admin']){
$select_ad = dbquery("SELECT * FROM haze_admin WHERE admin_mode = '".$_GET['admin']."'");
$adm = dbarray($select_ad);
$modes[] = $adm['admin_mode'];
$safe = (in_array($_GET['admin'], $modes) ? TRUE : fallback($settings['site_url']));
$counter = 0;
echo "<center><a href='page.php?id=".$id."'><b>Index</b></a> || [ ";
while ($al = dbarray($a_sects)){
$counter++;
echo "<a href='page.php?id=".$id."&amp;admin=".$al['admin_mode']."'>".$al['admin_name']."</a>".($counter < $a_rows ? " | " : "");
}
echo " ]</center>";
if ($safe){
$a_acc = $adm['admin_access'];
admin_page($a_acc, $adm['admin_page'], $e_msg[$a_acc]);
}
} else {
if ($logged['level'] > 3) {
$counter = 0; $columns = 3; 
echo "<table align='center' border='0' cellpadding='2' cellspacing='2' width='90%'>\n<tr>\n";
while ($ai = dbarray($a_sects)){
if ($counter != 0 && ($counter % $columns == 0)) echo "</tr>\n<tr>\n";
echo "<td align='center'><a href='page.php?id=".$id."&amp;admin=".$ai['admin_mode']."' class='img2'>
<img border='0' alt='".$ai['admin_name']."' src='".IMAGES."admin/".$ai['admin_img']."' /><br />".$ai['admin_name']."</a></td>";
$counter++;
}
echo "</tr>\n</table>\n";
} else {
echo "You must be a staff member or administrator to have access the Admin Panel index.";
}
}
} else {
echo "<center>Sorry, but you are not allowed to view this page!</center>";
}
?>

as you see, its passing the admin mode through a get variable to determine which admin_page is being called upon later in the script. obviously, a user could just type anything into the address bar.. so i used the simple in_array() function to check the available admin modes in the database, and if the requested mode isnt available, the user is forced back to the front page of the site using this function

function fallback($location) {

header("Location: ".$location);

exit;
}


i know thats alot to read and go through, but i need to know if there is a loophole or exploit there.. as the admin panel is very important  this version (1.6) is not released yet, and Nathan (one of the 3 known phpHaze users) uses the latest final release which uses the strict if/else, so this doesnt apply to him as his admin panel is an older version which is much less complex..

so let me know, experts in php at webdigity! is this secure, or am i missing something?

[Join us @ facebook]

It is too late here, so I can't examine your code, but with a first look you seem to have an SQL injection problem :

$select_ad = dbquery("SELECT * FROM haze_admin WHERE admin_mode = '".$_GET['admin']."'");

It is too late here, so I can't examine your code, but with a first look you seem to have an SQL injection problem :

$select_ad = dbquery("SELECT * FROM haze_admin WHERE admin_mode = '".$_GET['admin']."'");

ah, so i should move this query also into an "in array" statement to verify it? or use another type of check -- this is exactly why i havent released this yet -- i'm not comfortable with its security

[Free WordPress Themes]

No, you need to learn about "SQL injections"

[Join us @ facebook]

You should change your queries to something like :

$select_ad = dbquery("SELECT * FROM haze_admin WHERE admin_mode = '".addslashes($_GET['admin'])."'");

[Free WordPress Themes]

or better:

Code:

<?php
if (get_magic_quotes_gpc()) $_GET['admin'] = stripslashes($_GET['admin']);
$admin = mysql_real_escape_string($_GET['admin']);

$select_ad = dbquery("SELECT * FROM haze_admin WHERE admin_mode = '".$admin."'");

or better:

Code:

<?php
if (get_magic_quotes_gpc()) $_GET['admin'] = stripslashes($_GET['admin']);
$admin = mysql_real_escape_string($_GET['admin']);

$select_ad = dbquery("SELECT * FROM haze_admin WHERE admin_mode = '".$admin."'");

ah ok guys, thanks for the help i hope that was the only problem though

[Join us @ facebook]

That can be the most serious problem as it can give full access to your database.

The other thing you need to check is if you have any XSS vulnerability. The purpose is to check if you include something the you get from user. For example :

BAD SYNTAX :
include $_GET['action'];

Good syntax :
include '/some/path/' . $_GET['action'];

That can be the most serious problem as it can give full access to your database.

The other thing you need to check is if you have any XSS vulnerability. The purpose is to check if you include something the you get from user. For example :

BAD SYNTAX :
include $_GET['action'];

Good syntax :
include '/some/path/' . $_GET['action'];

well i do have some XSS protections but they arent in the admin file, they are in the core file which is included earlier in the script:

// Locate config.php and set the basedir path
$folder_level = "";
while (!file_exists($folder_level."config.php")) { $folder_level .= "../"; }
require_once $folder_level."config.php";
define("BASEDIR", $folder_level);
//common definitions
$_SERVER['PHP_SELF'] = htmlspecialchars(descript($_SERVER['PHP_SELF']), ENT_QUOTES);
$PHP_SELF = htmlspecialchars(descript($_SERVER['PHP_SELF']), ENT_QUOTES);
define("IN_HAZE", TRUE);
define("HAZE_REQUEST", isset($_SERVER['REQUEST_URI']) && $_SERVER['REQUEST_URI'] != "" ? $_SERVER['REQUEST_URI'] : $_SERVER['SCRIPT_NAME']);
define("HAZE_QUERY", isset($_SERVER['QUERY_STRING']) ? $_SERVER['QUERY_STRING'] : "");
define("HAZE_SELF", basename($_SERVER['PHP_SELF']));
define("USER_IP", $_SERVER['REMOTE_ADDR']);

foreach ($_GET as $check_url) {

if ((eregi("<[^>]*script*\"?[^>]*>", $check_url)) || (eregi("<[^>]*object*\"?[^>]*>", $check_url)) ||

(eregi("<[^>]*iframe*\"?[^>]*>", $check_url)) || (eregi("<[^>]*applet*\"?[^>]*>", $check_url)) ||

(eregi("<[^>]*meta*\"?[^>]*>", $check_url)) || (eregi("<[^>]*style*\"?[^>]*>", $check_url)) ||

(eregi("<[^>]*form*\"?[^>]*>", $check_url)) || (eregi("\([^>]*\"?[^)]*\)", $check_url)) ||

(eregi("\"", $check_url))) {

die ();

}
}
unset($check_url);

function descript($text,$striptags=true) {

$search = array("40","41","58","65","66","67","68","69","70",

"71","72","73","74","75","76","77","78","79","80","81",

"82","83","84","85","86","87","88","89","90","97","98",

"99","100","101","102","103","104","105","106","107",

"108","109","110","111","112","113","114","115","116",

"117","118","119","120","121","122"

);

$replace = array("(",")",":","a","b","c","d","e","f","g","h",

"i","j","k","l","m","n","o","p","q","r","s","t","u",

"v","w","x","y","z","a","b","c","d","e","f","g","h",

"i","j","k","l","m","n","o","p","q","r","s","t","u",

"v","w","x","y","z"

);

$entities = count($search);

for ($i=0;$i < $entities;$i++) $text = preg_replace("#(&\#)(0*".$search[$i]."+);*#si", $replace[$i], $text);

$text = preg_replace('#(&\#x)([0-9A-F]+);*#si', "", $text);

$text = preg_replace('#(<[^>]+[\\"\'\s])(onmouseover|onmousedown|onmouseup|onmouseout|onmousemove|onclick|ondblclick|onload|xmlns)[^>]*>#iU', ">", $text);

$text = preg_replace('#([a-z]*)=([\`\'\"]*)script:#iU', '$1=$2nojscript...', $text);

$text = preg_replace('#([a-z]*)=([\`\'\"]*)javascript:#iU', '$1=$2nojavascript...', $text);

$text = preg_replace('#([a-z]*)=([\'\"]*)vbscript:#iU', '$1=$2novbscript...', $text);

$text = preg_replace('#(<[^>]+)style=([\`\'\"]*).*expression\([^>]*>#iU', "$1>", $text);

$text = preg_replace('#(<[^>]+)style=([\`\'\"]*).*behaviour\([^>]*>#iU', "$1>", $text);

if ($striptags) {

do {

        

$thistext = $text;

$text = preg_replace('#</*(applet|meta|xml|blink|link|style|script|embed|object|iframe|frame|frameset|ilayer|layer|bgsound|title|base)[^>]*>#i', "", $text);

} while ($thistext != $text);

}

return $text;
}

[Join us @ facebook]

What is the reason for using those functions?

That fragment of code looks very slow to me (I mean it produces too much overhead)

the descript function is used inside of another function "stripinput" which is shown on the tutorial i submitted not long ago, stripping all malicous user input

which part is producing too much overhead?

[Join us @ facebook]

In general preg related functions are slowing up the whole process. Of course some times they are required

In general preg related functions are slowing up the whole process. Of course some times they are required

yes definately, but it is better to use preg_replace than str_replace am i correct? if using str replace, it would be even slower ..

thanks for the help on the SQL injection problem guys, i looked it up in the manual and learned a few new things , is that the only exploit, though? after patching that, i'd assume its lock-tight, assuming as well that the user accessing it is an admin ;P

[Free WordPress Themes]

In general preg related functions are slowing up the whole process. Of course some times they are required

this is interesting:
http://www.php-scripts.com/php_diary/011303.php3

edit:

I think above the information is about php 3 or 4.

the manual says something different now:
http://www.phpbuilder.com/board/showthread.php?t=10319193