The CPG-Nuke security requirements
-> Announcements
#1: The CPG-Nuke security requirements Author: DJ MazeLocation: http://tinyurl.com/5z8dmv PostPosted: Mon Apr 19, 2004 7:24 pm
    ----
When you have made any cool content for CPG-Nuke or PHP-Nuke for use in CPG-Nuke we need you to understand the following "security requirements" or we won't accept your add-on.
Although external Posting protection is blocking a lot, we still want you to develop secure code.
  1. Database
    1. The queries may not contain global variables or must be checked on their value for intvar(), stringlength and specialchars.
    2. If a variable may not contain HTML or PHP use our Fix_Quotes($var, 1) function to get rid of them.
    3. Only sql function calls using $db-> are accepted. The old sql functions like sql_num_rows won't be accepted and are a security breach.
  2. User & Admin
    1. Although the old function still exists to be compatible with old modules, we won't accept files that use the cookiedecode($user) function or decode the $user themselves. Use the global $userinfo instead which already contains all data of the visitor, member or not.
    2. Never decode $admin but check if the "admin" realy is a admin thru is_admin(). is_admin() returns the admin 'aid' (name) if the 'visitor' is administrator. As of 8.3 and up you can check if the admin is allowed to administer a module by using can_admin('module_name').
  3. File Access
    1. Protect your files against outside calls like /yourfile.php or a other script that runs a include/require from another host.
    2. Only calls to cms files may be made using require_once() or require() because include() and include_once() don't report absence of the file properly


Last edited by DJ Maze on Sun Oct 03, 2004 2:58 am; edited 6 times in total
#2: Re: The CPG-Nuke security requirements Author: nomaed PostPosted: Wed Apr 21, 2004 11:14 am
    ----
What about making it work with register_globals=off, and without exporting the $_COOKIE, $_POST, $_GET and other superglobals to variables?
#3: Re: The CPG-Nuke security requirements Author: DJ MazeLocation: http://tinyurl.com/5z8dmv PostPosted: Wed Apr 21, 2004 12:48 pm
    ----
That's a massive work which will break our new GoogleTap,
but we are heading that way more and more already.

I know GoogleTap is silly and a webpage is already shown correctly by search engines, but people think googletap works to index their pages better Confused
#4: Re: The CPG-Nuke security requirements Author: TRANCEBUDHA PostPosted: Thu Apr 22, 2004 6:47 pm
    ----
Quote:

I know GoogleTap is silly and a webpage is already shown correctly by search engines, but people think googletap works to index their pages better

So i dont need to activate the google tap? heres my situation my host (prodigy.mx) didnt install for me the mod_rewrite for apache nor the isapi_rewrite for iis so i was thinking of chaning my host for correct index of my site, but i read this and is a different thing now.

can i be peacefull for my indexing issue?

thanks in advance
#5: Re: The CPG-Nuke security requirements Author: DJ MazeLocation: http://tinyurl.com/5z8dmv PostPosted: Thu Apr 22, 2004 7:12 pm
    ----
www.google.com/search?...tnG=Search
#6: Re: The CPG-Nuke security requirements Author: anor PostPosted: Thu Apr 22, 2004 7:31 pm
    ----
Erm the correct way too see how many pages google has spiderd and accepted is by doing the following:

www.google.com/search?...pgnuke.com

For those who want too see there own site, do the following in google.

Type in the search field the following:
allinurl:yourdomain.com site:www.yourdomain.com (Offcourse change yourdomain.com too your domain Smile ).

Btw Djmaze why isn't that when Googletap, gt-nextgen, spiders index it better? I think it does, but probally only because the file names are shorter. (Instead of modules.php?name=Forums or index.php?name=Forums you will probally have forums.html)
#7: Re: The CPG-Nuke security requirements Author: TRANCEBUDHA PostPosted: Thu Apr 22, 2004 7:48 pm
    ----
thanks that help alot

extreme newbie
#8: Re: The CPG-Nuke security requirements Author: PhoenixLocation: Netizen PostPosted: Fri Apr 23, 2004 1:33 am
    ----
I'm not sure that it's the length that bothers search engines (DJ already demonstrated this on previous forum), so much as the use of '?'.

The other area where it definitely helps is when you use GT to make multi level sub-directories seem to be root directory files - this means you have a better chance of getting 'deep indexed' a lot sooner.

GT is not just for 'phpnuke' sites - I also use it on non-nuke sites and it does make a big difference.

The other aspect is that it helps when you cross-reference sites - it's much easier to type site2.com/file.html as a link on site1.com than something that is 200 characters long e.g. when you want to submit your links to other sites. Cool

Having just done this, I'm not sure if this discussion should be attached here Question
#9: Re: The CPG-Nuke security requirements Author: DJ MazeLocation: http://tinyurl.com/5z8dmv PostPosted: Fri Apr 23, 2004 1:41 am
    ----
Ok i've opened a new forum in our second forum for googletap feature in cpgnuke cpgnuke.com/index.php?...um&f=9
#10: Re: The CPG-Nuke security requirements Author: DasheLocation: Ireland PostPosted: Thu May 20, 2004 11:02 am
    ----
Hi I am thinking of releasing some scripts for CPG-Nuke and was wondering if you could just clear up 3 things for me.
DJMaze wrote:
Before any try to decode $admin check if "admin" realy is a admin thru is_admin($user), and then decode the data to a other variable not $admin itself.
I didnt quite understand this, is is supposed to be is_admin($user) and not is_admin($admin), if this is correct could you explain why?
DJMaze wrote:
Beshure echoed variables are set internal and don't use global variables that could be set thru a POST or GET command to echo for example: $nukeuser[1]
I didnt understand that would you be able to explain possible with and example of what to do and what not to do.
DJMaze wrote:
Protect your files against outside calls like /yourfile.php or a other script that runs a include from another host.
Again I didnt understand what you wanted done here would you be able to explain this as well, again with an example.

Thanks very much, just want to make sure that I am coding it the way you want it done. Smile
#11: Re: The CPG-Nuke security requirements Author: DJ MazeLocation: http://tinyurl.com/5z8dmv PostPosted: Thu May 20, 2004 11:36 am
    ----
Yeah it should be is_admin($admin) i typed it wrong Confused

For example you have a $_POST[] and people use
PHP:
echo $_POST[];
before you do that run a proper check of what the $_POST should contain.
For example: htmlspecialchar($_POST[]) or intval($_POST[]) this will prevent people inserting malicious code into the database or output.

About XSS:
say you have a variable $file and then you run include($file) be shure $file can't be set thru $_GET or $_POST or if it must then check the variable
ereg('\.\.', $file)
ereg(':', $file)
#12: Re: The CPG-Nuke security requirements Author: DasheLocation: Ireland PostPosted: Thu May 20, 2004 12:37 pm
    ----
Thanks
#13: Re: The CPG-Nuke security requirements Author: greboLocation: Vancouver, Canada PostPosted: Thu May 20, 2004 2:52 pm
    ----
Dashe, If you are rewriting your scripts JAG_Online and JAG_virus, let me know and I can remove my download of the versions I released for cpg.
-> Announcements

All times are GMT

Page 1 of 1