after installation cmsimple 4.0.3

Questions about how to install and problems installing - please read the documentation first!
cmb
Posts: 13341
Joined: Tue Jun 21, 2011 11:04 am
Location: Mü-Sa, RLP, DE
Contact:

Re: after installation cmsimple 4.0.3

Post by cmb » Tue Dec 11, 2012 1:11 pm

Somebody has tried to hack the site :shock:

Kidding aside: a nice example of a XSS attack, even if it is totally harmless in this case.
Gert wrote:I will send you the new servertest.php by PM,
AISB a simple phpinfo() will suffice.
Gert wrote:A further reason to use $_SERVER['SCRIPT_NAME'] ...
And to avoid $_GET, $_POST and $_COOKIE at all?
Christoph M. Becker – Plugins for CMSimple_XH

Gert
Posts: 3075
Joined: Fri May 30, 2008 4:53 pm
Location: Berlin
Contact:

Re: after installation cmsimple 4.0.3

Post by Gert » Tue Dec 11, 2012 1:44 pm

cmb wrote:Somebody has tried to hack the site :shock:
Yes - Holger was it :lol:

Follow the link and have a look at the browser adress line,

Gert
Gert Ebersbach | CMSimple | Templates - Plugins - Services

Holger
Site Admin
Posts: 3212
Joined: Mon May 19, 2008 7:10 pm
Location: Hessen, Germany
Contact:

Re: after installation cmsimple 4.0.3

Post by Holger » Tue Dec 11, 2012 1:53 pm

Gert wrote:Yes - Holger was it :lol:
Hehe, but you've updated your skript... Too bad - now the nice alert() is away :( .

Ok, I only want to show that strange behavior of PHP_SELF... and that SCRIPT_NAME isn't vulnerable that way.

So back to topic.

KR
Holger

Gert
Posts: 3075
Joined: Fri May 30, 2008 4:53 pm
Location: Berlin
Contact:

Re: after installation cmsimple 4.0.3

Post by Gert » Tue Dec 11, 2012 1:58 pm

Holger wrote:Ok, I only want to show that strange behavior of PHP_SELF... and that SCRIPT_NAME isn't vulnerable that way.
Yes, I know (but I have forgotten it in this case):

http://blog.oncode.info/2008/05/07/php_ ... pting-xss/

Gert
Gert Ebersbach | CMSimple | Templates - Plugins - Services

cmb
Posts: 13341
Joined: Tue Jun 21, 2011 11:04 am
Location: Mü-Sa, RLP, DE
Contact:

Re: after installation cmsimple 4.0.3

Post by cmb » Tue Dec 11, 2012 2:37 pm

Holger wrote:So back to topic.
Good idea. I just found some time to read the (hopefully) relevant part the mentioned CGI spec.
The SCRIPT_NAME variable MUST be set to a URI path (not URL-encoded) which could identify the CGI script
So when calling http://www.haptonomiedommelen.nl/ SCRIPT_NAME has to be "/servertest.php", as http://www.haptonomiedommelen.nl/hapton ... ertest.php would lead nowhere. But wait! How can we make assumptions about SERVER_NAME? If SERVER_NAME is "http://www.praktijkdommelen.nl/", then SCRIPT_NAME has to be "/haptonomiedommelen/servertest.php" :!: So the test script should be at least extended to output SERVER_NAME, which is quite likely to confirm my assumption that SERVER_NAME is indeed "http://www.praktijkdommelen.nl/". So far this would be fine according to the CGI 1.1. specification. And even the setting of CMSIMPLE_ROOT seems to be correct in this case (this has to be double-checked).

The problem are the cookies. These are set by the browser for the domain that was browsed (the HTTP HOST). As this is still http://www.haptonomiedommelen.nl/, the cookie path has to be "/", so CMSIMPLE_ROOT is not appropriate in this case.

Something to consider!
PHP_SELF ist böse! Potentielles Cross Site Scripting (XSS)!
<CYNICAL>So I state: $_GET, $_POST, $_COOKIE are evil too, and have to be strictly avoided! I strongly suggest we remove these variables from the core of CMSimple. This will render CMSimple useless---but at least it doesn't allow for XSS!</CYNICAL>

Christoph
Christoph M. Becker – Plugins for CMSimple_XH

roze
Posts: 230
Joined: Tue Jun 03, 2008 7:13 am
Location: NL
Contact:

Re: after installation cmsimple 4.0.3

Post by roze » Tue Dec 11, 2012 2:39 pm

The answer from my provider
De werking van CMSimple is dat deze met absolute paden werkt, hierdoor conflicteert dit met de verwijzing die gemaakt is voor praktijkdommelen.nl in Domeinnaam Beheer.

CMSimple is hierdoor alleen te gebruiken op een website die u draait in de map public_html en is daardoor mindergeschikt voor het gebruik op pakketten met meerder domeinnamen.

U kunt bij CMSimple aangeven dat u tegen deze "beperking" aanloopt en dat uw domeinnaam via .htaccess met Mod Rewrite is verwezen naar een subfolder. Wellicht dat hier een oplossing voor bekend is bij de ontwikkelaars van de software.

Code: Select all

CMsimple works with absolute paths. Therfore it conflicts with the referring to "praktijkdommelen.nl" in your domainmanagement. 
You only can use CMsimple on a website in the map public_html (=the mainmap) en it is not suitable for packages with more domain-names.
You can tell to the CMSimple developers that you  see this limitation and that your domain-name with .htacces with remote is directed to a sub-folder. Perhaps the developers have a solution for this.
Rob Zeijen,

Valkenswaard (NL)

Gert
Posts: 3075
Joined: Fri May 30, 2008 4:53 pm
Location: Berlin
Contact:

Re: after installation cmsimple 4.0.3

Post by Gert » Tue Dec 11, 2012 2:51 pm

your provider wrote:You only can use CMsimple on a website in the map public_html (=the mainmap) en it is not suitable for packages with more domain-names.
Maybe it is so on webspaces of your provider :roll:

I'm working on many webspaces for my customers, and I also have many domains on my webspace in subfolders, and CMSimple works, here again:

http://www.ge-webdesign.de/kstb/servertest.php

http://www.kstb.de/servertest.php

My "kstb" is your "haptonomiedommelen".
your provider wrote:You can tell to the CMSimple developers that you see this limitation and that your domain-name with .htacces with remote is directed to a sub-folder.
It seems, that your webspace has not really multi-domain capability, is it a freehoster?

Gert
Last edited by Gert on Tue Dec 11, 2012 3:03 pm, edited 2 times in total.
Gert Ebersbach | CMSimple | Templates - Plugins - Services

cmb
Posts: 13341
Joined: Tue Jun 21, 2011 11:04 am
Location: Mü-Sa, RLP, DE
Contact:

Re: after installation cmsimple 4.0.3

Post by cmb » Tue Dec 11, 2012 3:05 pm

Hi Rob,
roze wrote:U kunt bij CMSimple aangeven dat u tegen deze "beperking" aanloopt en dat uw domeinnaam via .htaccess met Mod Rewrite is verwezen naar een subfolder. Wellicht dat hier een oplossing voor bekend is bij de ontwikkelaars van de software.
This might be better translated as:
You can tell to the CMSimple developers that you  see this limitation and that your domain-name with .htacces with mod_rewrite is directed to a sub-folder. Perhaps the developers have a solution for this.
(mod_rewrite is an Apache web server module which allows URL rewriting)

This confirms my assumptions, and enables me to simulate this kind of redirect and to test CMSimple_XH and some plugins. I'm quite sure, that there are some problems that should be solved---and hopefully can be.

Christoph
Christoph M. Becker – Plugins for CMSimple_XH

Gert
Posts: 3075
Joined: Fri May 30, 2008 4:53 pm
Location: Berlin
Contact:

Re: after installation cmsimple 4.0.3

Post by Gert » Tue Dec 11, 2012 3:20 pm

Hi Rob,

I'm sure, your webspace has not really multi-domain capability, that's the reason for forwarding the domain by .htaccess.

A Solution for your problem could be, to define CMSIMPLE_ROOT like CMSIMPLE_BASE in the cms.php:

Code: Select all

define('CMSIMPLE_ROOT', $pth['folder']['base']);
define('CMSIMPLE_BASE', $pth['folder']['base']); 
But CMSIMPLE_ROOT is made for absolute references, maybe some plugins has problems with such a definition of CMSIMPLE_ROOT, but I don't believe.

And I will not make it to standard. Who wants to operate multiple domains on his webspace, should look for webspace with real multi-domain capability,

Gert
Gert Ebersbach | CMSimple | Templates - Plugins - Services

roze
Posts: 230
Joined: Tue Jun 03, 2008 7:13 am
Location: NL
Contact:

Re: after installation cmsimple 4.0.3

Post by roze » Tue Dec 11, 2012 4:23 pm

Gert wrote: I'm sure, your webspace has not really multi-domain capability, that's the reason for forwarding the domain by .htaccess.

I'll ask the provider to advise me in making solo-domain-spaces.
Rob Zeijen,

Valkenswaard (NL)

Post Reply