| Av |
Innlegg |
DJ Maze
Ble medlem: Apr 19, 2004
Innlegg: 5668
Bosted: http://tinyurl.com/5z8dmv
|
 Tittel: The CPG-Nuke security requirements
Skrevet: Man Apr 19, 2004 7:24 pm |
 |
When you have made any cool content for CPG-Nuke or PHP-Nuke for use in CPG-Nuke we need you to understand the following "security requirements" or we won't accept your add-on.
Although external Posting protection is blocking a lot, we still want you to develop secure code.
- Database
- The queries may not contain global variables or must be checked on their value for intvar(), stringlength and specialchars.
- If a variable may not contain HTML or PHP use our Fix_Quotes($var, 1) function to get rid of them.
- Only sql function calls using $db-> are accepted. The old sql functions like sql_num_rows won't be accepted and are a security breach.
User & Admin
Although the old function still exists to be compatible with old modules, we won't accept files that use the cookiedecode($user) function or decode the $user themselves. Use the global $userinfo instead which already contains all data of the visitor, member or not.
Never decode $admin but check if the "admin" realy is a admin thru is_admin(). is_admin() returns the admin 'aid' (name) if the 'visitor' is administrator. As of 8.3 and up you can check if the admin is allowed to administer a module by using can_admin('module_name').
File Access
Protect your files against outside calls like /yourfile.php or a other script that runs a include/require from another host.
Only calls to cms files may be made using require_once() or require() because include() and include_once() don't report absence of the file properly
DJ Maze's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Fedora 12 / 2.2.15 / 5.1.47 / 5.3.3 / CVS
Sist endret av DJ Maze den Søn Okt 03, 2004 2:58 am, endret 6 ganger totalt |
|
| Til Toppen |
|
 |
nomaed
Ble medlem: Apr 20, 2004
Innlegg: 10
|
Tittel: Re: The CPG-Nuke security requirements
Skrevet: Ons Apr 21, 2004 11:14 am |
|
What about making it work with register_globals=off, and without exporting the $_COOKIE, $_POST, $_GET and other superglobals to variables?
nomaed's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
winXP |
|
| Til Toppen |
|
|
DJ Maze
Ble medlem: Apr 19, 2004
Innlegg: 5668
Bosted: http://tinyurl.com/5z8dmv
|
Tittel: Re: The CPG-Nuke security requirements
Skrevet: Ons Apr 21, 2004 12:48 pm |
|
That's a massive work which will break our new GoogleTap,
but we are heading that way more and more already.
I know GoogleTap is silly and a webpage is already shown correctly by search engines, but people think googletap works to index their pages better 
DJ Maze's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Fedora 12 / 2.2.15 / 5.1.47 / 5.3.3 / CVS |
|
| Til Toppen |
|
|
TRANCEBUDHA
Ble medlem: Apr 21, 2004
Innlegg: 40
|
Tittel: Re: The CPG-Nuke security requirements
Skrevet: Tor Apr 22, 2004 6:47 pm |
|
Quote:
I know GoogleTap is silly and a webpage is already shown correctly by search engines, but people think googletap works to index their pages better
So i dont need to activate the google tap? heres my situation my host (prodigy.mx) didnt install for me the mod_rewrite for apache nor the isapi_rewrite for iis so i was thinking of chaning my host for correct index of my site, but i read this and is a different thing now.
can i be peacefull for my indexing issue?
thanks in advance
_________________
FEEL FREE TO VISIT ME AT
WWW.DISHLATINO.NET
TRANCEBUDHA's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
XP/IIS/MYSQL/PHP 4 |
|
| Til Toppen |
|
|
DJ Maze
Ble medlem: Apr 19, 2004
Innlegg: 5668
Bosted: http://tinyurl.com/5z8dmv
|
Tittel: Re: The CPG-Nuke security requirements
Skrevet: Tor Apr 22, 2004 7:12 pm |
|
www.google.com/search?...tnG=Search
_________________
There are two paths, the short one and the long one.
When you choose the short path you will notice it takes longer then the long path.
So READ the FAQ and Wiki first 
DJ Maze's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Fedora 12 / 2.2.15 / 5.1.47 / 5.3.3 / CVS |
|
| Til Toppen |
|
|
anor
Ble medlem: Apr 22, 2004
Innlegg: 4
|
Tittel: Re: The CPG-Nuke security requirements
Skrevet: Tor Apr 22, 2004 7:31 pm |
|
Erm the correct way too see how many pages google has spiderd and accepted is by doing the following:
www.google.com/search?...pgnuke.com
For those who want too see there own site, do the following in google.
Type in the search field the following:
allinurl:yourdomain.com site:www.yourdomain.com (Offcourse change yourdomain.com too your domain  ).
Btw Djmaze why isn't that when Googletap, gt-nextgen, spiders index it better? I think it does, but probally only because the file names are shorter. (Instead of modules.php?name=Forums or index.php?name=Forums you will probally have forums.html)
anor's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Linux/1.3.29/4.0.18-standard/4.3.4 |
|
| Til Toppen |
|
|
TRANCEBUDHA
Ble medlem: Apr 21, 2004
Innlegg: 40
|
Tittel: Re: The CPG-Nuke security requirements
Skrevet: Tor Apr 22, 2004 7:48 pm |
|
thanks that help alot
extreme newbie
_________________
FEEL FREE TO VISIT ME AT
WWW.DISHLATINO.NET
TRANCEBUDHA's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
XP/IIS/MYSQL/PHP 4 |
|
| Til Toppen |
|
|
Phoenix
Ble medlem: Apr 19, 2004
Innlegg: 8723
Bosted: Netizen
|
Tittel: Re: The CPG-Nuke security requirements
Skrevet: Fre Apr 23, 2004 1:33 am |
|
I'm not sure that it's the length that bothers search engines (DJ already demonstrated this on previous forum), so much as the use of '?'.
The other area where it definitely helps is when you use GT to make multi level sub-directories seem to be root directory files - this means you have a better chance of getting 'deep indexed' a lot sooner.
GT is not just for 'phpnuke' sites - I also use it on non-nuke sites and it does make a big difference.
The other aspect is that it helps when you cross-reference sites - it's much easier to type site2.com/file.html as a link on site1.com than something that is 200 characters long e.g. when you want to submit your links to other sites. 
Having just done this, I'm not sure if this discussion should be attached here 
_________________
• DonationsPro for DragonflyCMS, SMF, MyBB, vBulletin •
Phoenix's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
 |
|
| Til Toppen |
|
|
DJ Maze
Ble medlem: Apr 19, 2004
Innlegg: 5668
Bosted: http://tinyurl.com/5z8dmv
|
Tittel: Re: The CPG-Nuke security requirements
Skrevet: Fre Apr 23, 2004 1:41 am |
|
Ok i've opened a new forum in our second forum for googletap feature in cpgnuke cpgnuke.com/index.php?...um&f=9
DJ Maze's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Fedora 12 / 2.2.15 / 5.1.47 / 5.3.3 / CVS |
|
| Til Toppen |
|
|
Dashe
Ble medlem: Mai 11, 2004
Innlegg: 8
Bosted: Ireland
|
Tittel: Re: The CPG-Nuke security requirements
Skrevet: Tor Mai 20, 2004 11:02 am |
|
Hi I am thinking of releasing some scripts for CPG-Nuke and was wondering if you could just clear up 3 things for me.
DJMaze wrote:
Before any try to decode $admin check if "admin" realy is a admin thru is_admin($user), and then decode the data to a other variable not $admin itself.
I didnt quite understand this, is is supposed to be is_admin($user) and not is_admin($admin), if this is correct could you explain why?
DJMaze wrote:
Beshure echoed variables are set internal and don't use global variables that could be set thru a POST or GET command to echo for example: $nukeuser[1]
I didnt understand that would you be able to explain possible with and example of what to do and what not to do.
DJMaze wrote:
Protect your files against outside calls like /yourfile.php or a other script that runs a include from another host. Again I didnt understand what you wanted done here would you be able to explain this as well, again with an example.
Thanks very much, just want to make sure that I am coding it the way you want it done.
Dashe's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Why is this not allowed to be blank? |
|
| Til Toppen |
|
|
DJ Maze
Ble medlem: Apr 19, 2004
Innlegg: 5668
Bosted: http://tinyurl.com/5z8dmv
|
Tittel: Re: The CPG-Nuke security requirements
Skrevet: Tor Mai 20, 2004 11:36 am |
|
Yeah it should be is_admin($admin) i typed it wrong
For example you have a $_POST[] and people use
before you do that run a proper check of what the $_POST should contain.
For example: htmlspecialchar($_POST[]) or intval($_POST[]) this will prevent people inserting malicious code into the database or output.
About XSS:
say you have a variable $file and then you run include($file) be shure $file can't be set thru $_GET or $_POST or if it must then check the variable
ereg('\.\.', $file)
ereg(':', $file)
_________________
There are two paths, the short one and the long one.
When you choose the short path you will notice it takes longer then the long path.
So READ the FAQ and Wiki first
DJ Maze's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Fedora 12 / 2.2.15 / 5.1.47 / 5.3.3 / CVS |
|
| Til Toppen |
|
|
Dashe
Ble medlem: Mai 11, 2004
Innlegg: 8
Bosted: Ireland
|
Tittel: Re: The CPG-Nuke security requirements
Skrevet: Tor Mai 20, 2004 12:37 pm |
|
Thanks
Dashe's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Why is this not allowed to be blank? |
|
| Til Toppen |
|
|
grebo
Ble medlem: Apr 21, 2004
Innlegg: 116
Bosted: Vancouver, Canada
|
Tittel: Re: The CPG-Nuke security requirements
Skrevet: Tor Mai 20, 2004 2:52 pm |
|
Dashe, If you are rewriting your scripts JAG_Online and JAG_virus, let me know and I can remove my download of the versions I released for cpg.
_________________
Mommy What's a Grebo???
grebo's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
? |
|
| Til Toppen |
|
|
Forum Hjelp
Søk
Logg inn for å sjekke private meldinger
Logg inn
