Hello A few hours ago a new exploit is out (i will not post the code here) and i was try to add the fix there but it seems that i am doing something wrong as i get a blank page when i am going to my admin path so i can login to control panel I will not post the code (already many know about that) but i need some help about the fix: This is the code to protect against this attack: First Write protection.php: -------protection.php----- <?$self = $_SERVER['PHP_SELF']; $pos = strpos($self, 'login.php');if($pos == true){echo "<script language='javascript'>window.location = 'http://server/index.php';</script>";}?>---------------------------- Code (markup): Save protection.php in the admin map of oscommercethen paste following code in all pages in the /admin map(expect login.php): include('protection.php') Code (markup): I was create the file protection.php and i add this code inside: <?$self = $_SERVER['PHP_SELF'];$pos = strpos($self, 'login.php');if($pos == true){echo "<script language='javascript'>window.location = 'http://server/index.php';</script>";}?> Code (markup): I was replace the: http://server/index.php Code (markup): with: http://mydomain/index.php Code (markup): and i upload it to admin folder. then i was try to add the: include('protection.php') Code (markup): on all php files on admin folder exclude login.php i was add it at the top above: require('includes/application_top.php'); Code (markup): like: include('protection.php') require('includes/application_top.php'); Code (markup): But after that i was try to login to my admin panel and i am getting a blank white screen Can you please let me know what i was did wrong and how to fix it? Thank you UPDATE: If i use it on top of all php files like this is working: <?php include('protection.php') ?> But it will use the protection.php for security or not? Thank you
That exploit will only work if your admin folder is still named admin. If you've followed the recommended security procedures, like renaming the admin folder to something obscure, then this exploit will not work - unless the hackers already know what your admin folder has been renamed to. Yes, enclosing the include in PHP tags is using the security you originally intended.
The protection isn't really optimal, because the script will continue to run after the echo statement. Even if the attackers get redirected with JavaScript, the rest of the script will still run, so they can still cause mayhem and mischief through that. You should put an "exit;" after the echo statement IMHO.