Menu
▾
▴
phpwebsite-developers
|
From: Matthew M. <ma...@tu...> - 2004-09-02 14:38:03
|
Here are the details for the what the security patches fix: http://www.gulftech.org/?node=research&article_id=00048-08312004 Special thanks to Steven. He became the best hacker there is at foiling my security checks and he was quick to fix module issues. I will also explain what James is referring to in his conclusion. 0.9.4 will have an authentication key for each user. When you log in, the key is created from scratch and placed into your session. As you move through the site, the key may be accessed for authorization. For example, say you are an administrator and you click on an Edit link. The authorization key will be added to that Edit link. When you arrive at your destination, your key and the link key will be compared. If they do not match, you are denied access. This key will also automatically be included in form submissions. What this prevents are hacks that embed code. For example, the <img> tag code would be rendered useless because the hacker would be unable to know what your key is going to be when you log in. 0.9.4 also has a security logging feature. If user tries to circumvent phpwebsite's security, it will log their username (if they are logged in), their ip address, what page the attempt came from (if there is a referrer page), and what time the attempt came. Unrelated news: I will attempt to put a working copy of 0.9.4 on the web soon. It is still in alpha status but it will allow me to get better feedback on its operation. -- Matthew McNaney Internet Systems Architect Electronic Student Services Appalachian State University Phone: 828-262-6493 http://phpwebsite.appstate.edu http://ess.appstate.edu |
|
From: Jim W. <spi...@us...> - 2004-09-02 16:14:56
|
Matthew McNaney said: > Here are the details for the what the security patches fix: > > http://www.gulftech.org/?node=research&article_id=00048-08312004 > > Special thanks to Steven. He became the best hacker there is at foiling > my security checks and he was quick to fix module issues. > > I will also explain what James is referring to in his conclusion. > > 0.9.4 will have an authentication key for each user. When you log in, > the key is created from scratch and placed into your session. Thank you for the update. This should work fine, but existing users have a serious problem that they should address in the mentioned RFC 2616 problems. On the surface it doesn't seem like there would be a quick fix to solve this issue, but I would strongly recommend that individual users make edits to certain files in order to avoid or limit defacement. As far as I can tell, this requires disabling some functions for the time being. Below are some notes on how to do this. I've listed the module files and the functions that individuals may want to disable. At the very least one should look very closely at the "users" module functions. The disabled functions could be performed by administering the mod_users tables with a database admin tool. It would be helpful to get feedback on these ideas, or perhaps alternative solutions. For many users waiting for the next release might be too risky. Thanks, Jim Wilson Disable the following functions in the following files. Look for statements like 'case "deleteforum"; and either mangle the command name text (e.g. change "deleteforum" to "zadaweb-was-deleteforum") or comment out the case statement and code following down to the break; statement: mod/users/index.php annointUser castoutUser turnOnAdmin turnOffAdmin deleteGroup deleteUser mod/phpwsbb/class/Manager.php deleteForum deletemessage banusername unbanusername mod/photoalbum/class/Album.php delete mod/pagemaster/index.php delete_page |
|
From: Matthew M. <ma...@tu...> - 2004-09-02 17:03:31
|
> On the surface it doesn't seem like there would be a quick fix to solve this > issue, but I would strongly recommend that individual users make edits to > certain files in order to avoid or limit defacement. Another easy "fix" is to remove the <img> tag from your allow_tags setting in textSettings.php -- Matthew McNaney Internet Systems Architect Electronic Student Services Appalachian State University Phone: 828-262-6493 http://phpwebsite.appstate.edu http://ess.appstate.edu |
|
From: Shaun M. <sh...@ae...> - 2004-09-02 22:04:45
|
On 2 Sep 2004, at 18:00, Matthew McNaney wrote: >> On the surface it doesn't seem like there would be a quick fix to >> solve this >> issue, but I would strongly recommend that individual users make >> edits to >> certain files in order to avoid or limit defacement. > > Another easy "fix" is to remove the <img> tag from your allow_tags > setting in textSettings.php Slightly limiting perhaps. ;-) How about getting that two level textSettings hack Eloi? did in to the code asap so that at least admins can use the full complement of tags and we can lock out all html tags from normal users leaving them just with BBCode? That would solve a great many of these types of security issues. Shaun aegis design - http://www.aegisdesign.co.uk |
|
From: Matthew M. <ma...@tu...> - 2004-09-03 11:57:21
|
> we can lock out all html tags from normal users leaving them just > with BBCode? That would solve a great many of these types of security > issues. Quick note: the hack works with BBCode as well [img]index.php?module=users&doevil=1[/img] -- Matthew McNaney Internet Systems Architect Electronic Student Services Appalachian State University Phone: 828-262-6493 http://phpwebsite.appstate.edu http://ess.appstate.edu |
|
From: Shaun M. <sh...@ae...> - 2004-09-03 13:47:16
|
On 3 Sep 2004, at 12:54, Matthew McNaney wrote: >> we can lock out all html tags from normal users leaving them just >> with BBCode? That would solve a great many of these types of security >> issues. > > Quick note: the hack works with BBCode as well > [img]index.php?module=users&doevil=1[/img] Oh well, there goes that plan. Does this mean the PEAR HTML_BBCodeParser needs changing or are the security changes to go into phpwebsite enough? In the meantime, In /conf/BBCodeParser.ini filters = Basic,Extended,Links,Images,Lists,Email needs to change to filters = Basic,Extended,Links,Lists,Email to block out image [img] tags. Shaun aegis design - http://www.aegisdesign.co.uk |
|
From: Jim W. <spi...@us...> - 2004-09-03 13:29:34
|
Matthew McNaney said: > > we can lock out all html tags from normal users leaving them just > > with BBCode? That would solve a great many of these types of security > > issues. > > Quick note: the hack works with BBCode as well > [img]index.php?module=users&doevil=1[/img] > Hmmmm...it just occurred to me that we could parse and remove "module=" (like an obscene word). Best, Jim |
|
From: Shaun M. <sh...@ae...> - 2004-09-03 13:50:16
|
On 3 Sep 2004, at 14:29, Jim Wilson wrote: > > Hmmmm...it just occurred to me that we could parse and remove > "module=" (like > an obscene word). > If we did, then users wouldn't be able to create links or images that included module=, so no links to stuff on your own site or to other phpwebsite sites as well as quite possibly on other CMS systems that have module= in the url. Shaun aegis design - http://www.aegisdesign.co.uk |
|
From: Jim W. <spi...@us...> - 2004-09-03 14:52:22
|
Shaun Murray said: > > On 3 Sep 2004, at 14:29, Jim Wilson wrote: > > > > Hmmmm...it just occurred to me that we could parse and remove > > "module=" (like > > an obscene word). > > > > If we did, then users wouldn't be able to create links or images that > included module=, so no links to stuff on your own site or to other > phpwebsite sites as well as quite possibly on other CMS systems that > have module= in the url. > Oh right...but of course such links are a potential security issue since a low tech admin could unknowingly click on a posted link that executes something bad. This might be the worse of two evils decision for some installations. Maybe parsing for a list of the op values (e.g. "=delete") would be better. Best, Jim |
|
From: Ulf H. <U1...@ul...> - 2004-10-04 15:16:45
|
Hi, quick question: say one would want to build a full-text index into document manger leveraging a file system search functionality. Would that make sense? Has anybody ever done this? How would you do it? Of course, parsing all docs into a blob upon load would work - but I dont think that would be sexy enough. ;) Server would be either linux or win.... Cheers Ulf |
|
From: Shaun M. <sh...@ae...> - 2004-10-05 13:07:57
|
On 4 Oct 2004, at 16:16, Ulf Hallmann wrote: > > Hi, > > quick question: > say one would want to build a full-text index into document manger > leveraging a file system search functionality. > Would that make sense? > Has anybody ever done this? > How would you do it? > > Of course, parsing all docs into a blob upon load would work - but I > dont think that would be sexy enough. ;) > Server would be either linux or win.... The docs would have to be text files unless you've some way of parsing Word or PDF or whatever. There are various tools for that already on Linux at least that I know of. You'd not want to search all file types. Maybe do it via an existing tool like htdig? Shaun aegis design - http://www.aegisdesign.co.uk |
|
From: Ulf H. <U1...@ul...> - 2004-10-14 09:13:54
|
>> say one would want to build a full-text index into document manger >> leveraging a file system search functionality. > >> How would you do it? >> >> Of course, parsing all docs into a blob upon load would work - but I >> dont think that would be sexy enough. ;) > > The docs would have to be text files unless you've some way of parsing > Word or PDF or whatever. There are various tools for that already on > Linux at least that I know of. You'd not want to search all file types. > > Maybe do it via an existing tool like htdig? > Shawn, thanks a lot for replying. I guess that one of the various linux tools out there is what I am looking for. htdig would not do the job, as I would like to include pdf, xls, doc files into the search. In the meantime, I found http://www.site-search-pro.com/order/ - but I am not sure if this is really what I am looking for. What I am looking for is a simple way to include attached files, such as pdf, xls, doc in the search function of document manager, which is residing on a SUSE linux server. Any suggestions are greatly aprechiated - of course I would be more than happy to feed any results back into document manager code, in case you guys are interested. Greetings from Munich Ulf |
|
From: Mike N. <mh...@us...> - 2004-10-14 16:09:20
|
On Thu, 2004-10-14 at 02:14, Ulf Hallmann wrote:
> What I am looking for is a simple way to include attached files, such
> as pdf, xls, doc in the search function of
> document manager, which is residing on a SUSE linux server.
>
> Any suggestions are greatly aprechiated - of course I would be more
> than happy to feed any results back into
> document manager code, in case you guys are interested.
Ulf,
What you're describing sounds like a DMS (Document Management System).
There are quite a few examples of this type of application. Popular
projects on SourceForge:
http://owl.sourceforge.net/
http://kt-dms.sourceforge.net/
http://www.xinco.org/
--
Mike Noyes <mhnoyes at users.sourceforge.net>
http://sourceforge.net/users/mhnoyes/
SF.net Projects: ffl, leaf, phpwebsite, phpwebsite-comm, sitedocs
|
|
From: Ulf H. <U1...@ul...> - 2004-10-14 17:20:10
|
Mike Noyes wrote: >Ulf, >What you're describing sounds like a DMS (Document Management System). >There are quite a few examples of this type of application. Popular >projects on SourceForge: > > http://owl.sourceforge.net/ > http://kt-dms.sourceforge.net/ > http://www.xinco.org/ > > > Thats is correct. The final goal is to have a dms mod for phpws. Do you think this is a bad idea...? ;) Thanks for the links. I will see if there are some code snippets that can be re-used without re-inventing the wheel. Ulf |
|
From: Matthew M. <ma...@tu...> - 2004-09-03 13:57:34
|
On Fri, 2004-09-03 at 09:47, Shaun Murray wrote: > Does this mean the PEAR HTML_BBCodeParser needs changing or are the > security changes to go into phpwebsite enough? They should be enough. The image tag clean up happens after the bb tags are translated into html. -- Matthew McNaney Internet Systems Architect Electronic Student Services Appalachian State University Phone: 828-262-6493 http://phpwebsite.appstate.edu http://ess.appstate.edu |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X