PHP-Nuke Patched
2003 chatserv
NukeFixes -- NukeResources

INSTRUCTIONS:
1-Make a backup of your current files before uploading these.
2-Upload the files so that they replace yours but make sure you use the correct version.
Disclaimer: While i have done my best to get rid of errors present in the previous release i still haven't been able to test the files
Yet i feel confident most bugs (if not all) should be fixed but you should still make a backup before using the files
It is always best to upload a file at a time and test the site, that way you will know if any of the files has problems.
This time i have included instructions for applying the changes so you can edit the files yourself
while not all changes are listed, the most inportant ones are.
WARNING:
If you have modified Nuke's core files and don't want to lose your modifications do
not apply these patches, if your modifications are those of a third party add-on i
can patch it for you if you zip the files and make them available for download, just
e-mail me with your request and download url to the files,
same applies for modifications you have authored yourself.
I have included instructions for applying the fixes manually but due to the size
of this pack and the variety of changes that could apply to modified files and
since your modifications could require less or more changes i offer to help patch
modified files. Be patient when sending requests as time is not often on my side,
files sent will be patched as soon as possible, please do not request patching of
files that have not been ported to work with PHP-Nuke.
At the time this is being released i am still offline due to the section where i live at being currently without phone lines
I take my PC to a friend's house once a week so i won't be able to help with files for the time being
One day a week is not enough for me to keep track of requests.
FOR THOSE THAT FEEL COMFORTABLE MAKING THE CHANGES THEMSELVES:
FOR PHP-NUKE 6.5 AND ABOVE:
One change in the files that i can explain is the move to phpBB's abstraction layer,
those with an average knowledge of php/MySQL can perform the change themselves on
files they don't want to replace because of modifications, before doing this MAKE A
BACKUP OF THE FILES so you can roll back to them if anything goes wrong, here are
the steps:
1-By default each function's global line includes $dbi, this must be replaced with
$db, sql query lines often end with ,$dbi which should be removed.
2-sql_fetch_row or mysql_fetch_row should now be $db->sql_fetchrow
3-sql_query or mysql_query should now be $db->sql_query
4-sql_num_rows or mysql_num_rows should now be $db->sql_numrows
5-sql_fetch_array or mysql_fetch_array should now be $db->sql_fetchrow
6-sql_free_result or mysql_free_result should now be $db->sql_freeresult
7-sql_insert_id or mysql_insert_id should now be $db->sql_nextid
8-sql_close or mysql_close should now be $db->sql_close
Others might apply but these are the ones i found being used.
One other thing to look for are unquoted variables in sql queries, in example:
$result = $db->sql_query("SELECT rid, name, url from ".$prefix."_related where tid=$topicid");
should be:
$result = $db->sql_query("SELECT rid, name, url from ".$prefix."_related where tid='$topicid'");
notice $topicid was enclosed between single quotes which brings us to one other change, this
particular query attempts to grab 3 values from a database table, an id, a name and a url,
the id is a numerical value, there are two ways in which you can get the result of this
query:
The one i suggest using:
$row = $db->sql_fetchrow($result);
$rid = $row['rid'];
$name = $row['name'];
$url = $row['url'];

and the one some use to reduce the amount of code:
list($rid, $name, $url) = $db->sql_fetchrow($result);nortan 2004

In the first method results are returned in the format $row['value']
in the second method they are returned in the format $value
since one of the values is a number we add a php function to make sure only numbers
are used, in this case we use intval(), in values that return emails & urls we can
use another function, in this case stripslashes(), they would now change to:
The one i suggest using:
$row = $db->sql_fetchrow($result);
$rid = intval($row['rid']);
$name = $row['name'];
$url = stripslashes($row['url']);nortan 2004

and the one some use to reduce the amount of code:
list($rid, $name, $url) = $db->sql_fetchrow($result);
$rid = intval($rid);
$url = stripslashes($url);nortan 2004

There are many more functions one can use to check what gets passed through a
variable but these should help make the files more secure, anyway here's one more:
Let's say that from our example we know $name will have a maximum allowed
character limit of 12, we can make sure that limit is not exceeded in one
of several ways, in this case we'll use substr() so the above will now be:
The one i suggest using:
$row = $db->sql_fetchrow($result);
$rid = intval($row['rid']);
$name = substr("$row['name']", 0,12);
$url = stripslashes($row['url']);nortan 2004

and the one some use to reduce the amount of code:
list($rid, $name, $url) = $db->sql_fetchrow($result);
$rid = intval($rid);
$name = substr("$name", 0,12);
$url = stripslashes($url);nortan 2004

FOR PHP-NUKE 6.0 AND BELOW:
Look for unquoted variables in sql queries, in example:
$result=sql_query("select rid, name, url from ".$prefix."_related where tid=$topicid", $dbi);
should be:
$result=sql_query("select rid, name, url from ".$prefix."_related where tid='$topicid'", $dbi);
notice $topicid was enclosed between single quotes.
This particular query attempts to grab 3 values from a database table, an id, a name and a url,
the id is a numerical value:
while(list($rid, $name, $url) = sql_fetch_row($result, $dbi)) {

Results are returned in the format $value since one of the values is a number we add a
php function to make sure only numbers are used, in this case we use intval(), in values
that return emails & urls we can use another function, in this case stripslashes(),
they would now change to:
while(list($rid, $name, $url) = sql_fetch_row($result, $dbi)) {
$rid = intval($rid);
$url = stripslashes($url);nortan 2004

There are many more functions one can use to check what gets passed through a
variable but these should help make the files more secure, anyway here's one more:
Let's say that from our example we know $name will have a maximum allowed
character limit of 12, we can make sure that limit is not exceeded in one
of several ways, in this case we'll use substr() so the above will now be:
while(list($rid, $name, $url) = sql_fetch_row($result, $dbi)) {
$rid = intval($rid);
$name = substr("$name", 0,12);
$url = stripslashes($url);nortan 2004

Some more things to consider
In PHP-Nuke 6.5 and above when converting sql queries to the new abstraction layer consider the following:
When a function includes more than one sql query it is always best to make sure each query has a
different number, in example:
$result=$db->sql_query("SELECT sid, aid, title, topic FROM ".$prefix."_stories");
while ($row = $db->sql_fetchrow($result)) {
$row = $db->sql_fetchrow($db->sql_query("select topicimage from ".$prefix."_topics where topicid='$row[topic]'"));
$topictext = $row['topictext'];
$topicimage = $row['topicimage'];
should be:
$result=$db->sql_query("SELECT sid, aid, title, topic FROM ".$prefix."_stories");
while ($row = $db->sql_fetchrow($result)) {
$row2 = $db->sql_fetchrow($db->sql_query("select topicimage from ".$prefix."_topics where topicid='$row[topic]'"));
$topictext = $row2['topictext'];
$topicimage = $row2['topicimage'];

The result line of each query will vary, some will be like:
list($topicid, $topicname) = sql_fetch_array($result, $dbi);
and others will be like:
while(list($topicid, $topicname) = sql_fetch_array($result, $dbi)) {
You would change these to:nortan 2004

The method i suggest using:
$row = $db->sql_fetchrow($result);
$topicid = intval($row['topicid']);
$topicname = $row['topicname'];
and the second line to:
while($row = $db->sql_fetchrow($result)) {
$topicid = intval($row['topicid']);
$topicname = $row['topicname'];nortan 2004

and the alternate method:
list($topicid, $topicname) = $db->sql_fetchrow($result);
$topicid = intval($topicid);
and the second line to:
while(list($topicid, $topicname) = $db->sql_fetchrow($result)) {
$topicid = intval($topicid);
nortan 2004

There might be additional or alternate methods to help secure the files but the ones listed will do the job.
Variables list

The following are some of the variables that deal with numerical values so you could secure them with the intval() function.nortan 2004

Database Table Name
Variable(s)
nuke_access
$access_id
nuke_authors
$counter
$radminarticle
$radmintopic
$radminuser
$radminsurvey
$radminsection
$radminlink
$radminephem
$radminfaq
$radmindownload
$radminforum
$radmincontent
$radminency
$radminreviews
$radminnewsletter
$radminsuper
nuke_autonews
$anid
$catid
$ihome
nuke_banner
$bid
$cid
$imptotal
$impmade
$clicks
$active
nuke_bannerclient
$cid
nuke_blocks
$bid
$weight
$active
$refresh
$view
nuke_catagories
$cat_id
nuke_comments
$tid
$pid
$sid
nuke_config
$anonpost
$commentlimit
$minpass
$pollcomm
$articlecomm
$broadcast_msg
$my_headlines
$top
$storyhome
$user_news
$oldnum
$ultramode
$banners
$multilingual
$useflags
$notify
$email_send
$attachments
$attachments_view
$singleaccount
$filter_forward
$moderate
$admingraphic
$httpref
$httprefmax
nuke_contactbook
$uid
$contactid
nuke_counter
$count
nuke_downloads_categories
$cid
$parentid
nuke_downloads_downloads
$lid
$cid
$sid
$hits
$totalvotes
$totalcomments
nuke_downloads_editorials
$downloadid
nuke_downloads_modrequest
$requestid
$lid
$cid
$sid
$brokendownload
nuke_downloads_newdownload
$lid
$cid
$sid
nuke_downloads_votedata
$ratingdbid
$ratinglid
$rating
nuke_encyclopedia
$eid
$active
nuke_encyclopedia_text
$tid
$eid
nuke_ephem
$eid
$did
$mid
$yid
nuke_faqAnswer
$id
$id_cat
nuke_faqCategories
$id_cat
nuke_headlines
$hid
nuke_journal
$jid
nuke_journal_comments
$cid
nuke_journal_stats
$id
nuke_links_categories
$cid
$parentid
nuke_links_editorials
$linkid
nuke_links_links
$lid
$cid
$sid
nuke_links_modrequest
$requestid
$lid
$cid
$sid
$brokenlink
nuke_links_newlink
$lid
$cid
$sid
nuke_links_votedata
$ratingdbid
$ratinglid
$rating
nuke_message
$mid
$expire
$active
$view
nuke_modules
$mid
$active
$view
$inmenu
nuke_pages
$pid
$cid
$active
$counter
nuke_pages_categories
$cid
nuke_poll_check
$pollID
nuke_poll_data
$pollID
$optionCount
$voteID
nuke_poll_desc
$pollID
$voters
$artid
nuke_pollcomments
$tid
$pid
$pollID
nuke_public_messages
$mid
nuke_queue
$qid
$uid
nuke_referer
$rid
nuke_related
$rid
$tid
nuke_reviews
$id
$score
$hits
nuke_reviews_add
$id
$score
nuke_reviews_comments
$cid
$rid
$score
nuke_seccont
$artid
$secid
$counter
nuke_sections
$secid
nuke_stories
$sid
$catid
$comments
$counter
$topic
$ihome
$acomm
$haspoll
$pollID
$score
$ratings
nuke_stories_cat
$catid
nuke_topics
$topicid
nuke_users
$user_id
$storynum
$uorder
$noscore
$ublockon
$commentmax
$counter
$newsletter
$user_posts
$user_attachsig
$user_rank
$user_level
$broadcast
$popmeson
$user_active
$user_session_time
$user_session_page
$user_lastvisit
$user_new_privmsg
$user_unread_privmsg
$user_last_privmsg
$user_allowhtml
$user_allowbbcode
$user_allowsmile
$user_allowavatar
$user_allow_pm
$user_allow_viewonline
$user_notify
$user_notify_pm
$user_popup_pm
$user_avatar_type
nuke_users_temp
$user_id


nortan 2004

All the above are but suggestions, the patched files include other changes and they vary with each version.
Like i said before, the changes are too many to list but the above should help you secure your files.
General security guidelines

1-The default PHP-Nuke package requires folders to be chmod no higher than 755 and files no higher than 644.
2-When selecting a password it is always best to combine letters and numbers.
3-If your website has been hacked before:
a-Change your admin and user password.
b-FTP to the server and replace any file newer than the rest unless you know you uploaded it at that time.
c-Delete any file you have not uploaded yourself.
d-Inspect the nuke_authors database table and remove any admin account you did not create.
4-When possible avoid using add-ons that allow users to upload files.
5-Editing Nuke's files to allow javascript and more html tags than those already allowed opens the door to possible
attacks, if this happens you can only blame yourself, why move to a php/MySQL website only to turn it into a Java
or flash nightmare? You are better off with html if you plan to flood the site with scripts.
6-After using any diagnostic/installer scripts remove them from the server.
7-Before using third party add-ons if you have a basic knowledge of php/MySQL (which you should learn anyway)
check the code to make sure no malicious code has been inserted into it, if you have no clue which way is up then
select add-ons by well known authors, you can always ask around if unsure. Established PHP-Nuke authors often
state at their websites if they support "mirror" sites, otherwise you should only download files from the author's
website, download elsewhere at your sole risk.
8-Make it a rule to visit as many PHP-Nuke related websites as you can regularly to keep up-to-date on Nuke news.