General ⇒ Announcements :: Archives ⇒ The CPG-Nuke security requirements :: Archived ⇒ Community Forums ⇒ CPG Dragonfly™ CMS
Forum IndexAnnouncements

Archived ⇒ The CPG-Nuke security requirements


When you have made any cool content for CPG-Nuke or PHP-Nuke for use in CPG-Nuke we need you to understand the following "security requirements" or we won't accept your add-on.
Although external Posting protection is blocking a lot, we still want you to develop secure code.
  1. Database[list=a]
  2. The queries may not contain global variables or must be checked on their value for intvar(), stringlength and specialchars.
  3. If a variable may not contain HTML or PHP use our Fix_Quotes($var, 1) function to get rid of them.
  4. Only sql function calls using $db-> are accepted. The old sql functions like sql_num_rows won't be accepted and are a security breach.[/list:o]

  5. User & Admin[list=a]
  6. Although the old function still exists to be compatible with old modules, we won't accept files that use the cookiedecode($user) function or decode the $user themselves. Use the global $userinfo instead which already contains all data of the visitor, member or not.
  7. Never decode $admin but check if the "admin" realy is a admin thru is_admin(). is_admin() returns the admin 'aid' (name) if the 'visitor' is administrator. As of 8.3 and up you can check if the admin is allowed to administer a module by using can_admin('module_name').[/list:o]

  8. File Access[list=a]
  9. Protect your files against outside calls like /yourfile.php or a other script that runs a include/require from another host.
  10. Only calls to cms files may be made using require_once() or require() because include() and include_once() don't report absence of the file properly[/list:o]

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial

Last edited by DJ Maze on Sun Oct 03, 2004 2:58 am; edited 6 times in total


What about making it work with register_globals=off, and without exporting the $_COOKIE, $_POST, $_GET and other superglobals to variables?

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
winXP


That's a massive work which will break our new GoogleTap,
but we are heading that way more and more already.

I know GoogleTap is silly and a webpage is already shown correctly by search engines, but people think googletap works to index their pages better Confused

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial



I know GoogleTap is silly and a webpage is already shown correctly by search engines, but people think googletap works to index their pages better


So i dont need to activate the google tap? heres my situation my host (prodigy.mx) didnt install for me the mod_rewrite for apache nor the isapi_rewrite for iis so i was thinking of chaning my host for correct index of my site, but i read this and is a different thing now.

can i be peacefull for my indexing issue?

thanks in advance

FEEL FREE TO VISIT ME AT

WWW.DISHLATINO.NET

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
XP/IIS/MYSQL/PHP 4


www.google.com/search?...tnG=Search

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial


Erm the correct way too see how many pages google has spiderd and accepted is by doing the following:

www.google.com/search?...pgnuke.com

For those who want too see there own site, do the following in google.

Type in the search field the following:
allinurl:yourdomain.com site:www.yourdomain.com (Offcourse change yourdomain.com too your domain Smile ).

Btw Djmaze why isn't that when Googletap, gt-nextgen, spiders index it better? I think it does, but probally only because the file names are shorter. (Instead of modules.php?name=Forums or index.php?name=Forums you will probally have forums.html)

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Linux/1.3.29/4.0.18-standard/4.3.4


thanks that help alot

extreme newbie

FEEL FREE TO VISIT ME AT

WWW.DISHLATINO.NET

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
XP/IIS/MYSQL/PHP 4


I'm not sure that it's the length that bothers search engines (DJ already demonstrated this on previous forum), so much as the use of '?'.

The other area where it definitely helps is when you use GT to make multi level sub-directories seem to be root directory files - this means you have a better chance of getting 'deep indexed' a lot sooner.

GT is not just for 'phpnuke' sites - I also use it on non-nuke sites and it does make a big difference.

The other aspect is that it helps when you cross-reference sites - it's much easier to type site2.com/file.html as a link on site1.com than something that is 200 characters long e.g. when you want to submit your links to other sites. Cool

Having just done this, I'm not sure if this discussion should be attached here Question

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Ubuntu/Apache 2.2.22/MySQL 5.6.34/PHP 7.1.22/DragonFly 10.0.48.9418


Ok i've opened a new forum in our second forum for googletap feature in cpgnuke cpgnuke.com/index.php?...um&f=9

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial


Hi I am thinking of releasing some scripts for CPG-Nuke and was wondering if you could just clear up 3 things for me.
Before any try to decode $admin check if "admin" realy is a admin thru is_admin($user), and then decode the data to a other variable not $admin itself.

I didnt quite understand this, is is supposed to be is_admin($user) and not is_admin($admin), if this is correct could you explain why?
Beshure echoed variables are set internal and don't use global variables that could be set thru a POST or GET command to echo for example: $nukeuser[1]

I didnt understand that would you be able to explain possible with and example of what to do and what not to do.
Protect your files against outside calls like /yourfile.php or a other script that runs a include from another host.
Again I didnt understand what you wanted done here would you be able to explain this as well, again with an example.

Thanks very much, just want to make sure that I am coding it the way you want it done. Smile

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Why is this not allowed to be blank?


Yeah it should be is_admin($admin) i typed it wrong Confused

For example you have a $_POST[] and people useecho $_POST[];
before you do that run a proper check of what the $_POST should contain.
For example: htmlspecialchar($_POST[]) or intval($_POST[]) this will prevent people inserting malicious code into the database or output.

About XSS:
say you have a variable $file and then you run include($file) be shure $file can't be set thru $_GET or $_POST or if it must then check the variable
ereg('\.\.', $file)
ereg(':', $file)

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial


Thanks

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Why is this not allowed to be blank?


Dashe, If you are rewriting your scripts JAG_Online and JAG_virus, let me know and I can remove my download of the versions I released for cpg.

Mommy What's a Grebo???

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
?

All times are UTC