define_mainpage.php

[Guest]

I've already deleted the filemanager and define_language files.

 

What about deleting define_mainpage.php?

[Guest]

Richard,

 

As far as I know, define_mainpage is not a security concern. However, since it is not part of a standard OSC installation I would not positively know for sure if it is vulnerable to hacker attempts or not.

 

 

Chris

[germ]

Looking at the code it appears to me to be just as vulnerable to hack attempts as the other files mentioned.

:'(

[Guest]

Hi Jim,

 

What contribution is that from ?

 

 

 

Chris

[germ]

Hi Jim,

 

What contribution is that from ?

 

 

 

Chris

I found it here

 

I find it vulnerable because it gets contents supplied via the URL and writes it to a file with absolutely no checking of anything going on.

[Guest]

Ok, yes, I see it now. That contribution hasn't been updated since 2006 either.

 

 

 

 

Chris

[Mort-lemur]

Is there any way to fix this ?

 

Thanks

[germ]

Is there any way to fix this ?

 

Thanks

Rename the admin folder (like you haven't heard that before! :lol: )

 

Protect the admin with a .htaccess file (^^ :rolleyes: ^^ )

 

Then in /YOUR_ADMIN_FOLDER_NAME/index.php after this line:

 

  require('includes/application_top.php');

ADD this code:

 

  if ( ! tep_session_is_registered('My_Var_Name') ) {
   $My_Var_Name = 'SmVzdXM=';
   tep_session_register('My_Var_Name');
 }

 

Then in /YOUR_ADMIN_FOLDER_NAME/define_mainpage.php after this line:

 

  require('includes/application_top.php');

ADD this code:

 

  if ( $My_Var_Name != 'SmVzdXM=' ) {
   header("Location: http://www.google.com"); 
 }

You should change the value of $My_Var_Name to something else.

[Guest]

Please explain what your fix accomplishes/does.

And should one do this even if one just deletes the define_mainpage.php file?

[Mort-lemur]

Thanks Jim,

 

Yes I have changed admin folfer name and used htaccess + all other security mods, but never knew this had a security hole in it.

 

Applied your fix and it works great - in fact so well that I cant use the define mainpage function now - it re-directs me to google!

 

When you say

You should change the value of $My_Var_Name to something else.

do you mean the element

SmVzdXM=

shown in your code?

 

I think your code as written will only direct the owner to Google?

 

Thanks

[germ]

The code works for me just as written.

 

I don't have that particular file to protect but I protected another file.

 

The principle is the same no matter what file you apply it to.

 

The vulnerablitly here (if you don't have the admin protected by a .htaccess file) is that files in the admin can be accessed without visiting the login or index page first in the RC versions of osC.

 

This plugs that hole.

 

It works for me.

 

I don't know what to tell you.

:blush:

[Mort-lemur]

Hi Jim,

 

Checked that I copied the code correctly - and I have.

 

The protection works great - ie. requests are sent to google.

 

But when I try to access the define mainpage link from admin panel - I am also re-directed to google. Im not a coder at all, and infact know very little about php, but isnt the statement below telling the system that if the variable My_Var_Name = 'SmVzdXM=' then goto google?

 

if ( $My_Var_Name != 'SmVzdXM=' ) {

header("Location: http://www.google.com");

}

[germ]

Hi Jim,

 

Checked that I copied the code correctly - and I have.

 

The protection works great - ie. requests are sent to google.

 

But when I try to access the define mainpage link from admin panel - I am also re-directed to google. Im not a coder at all, and infact know very little about php, but isnt the statement below telling the system that if the variable My_Var_Name = 'SmVzdXM=' then goto google?

 

if ( $My_Var_Name != 'SmVzdXM=' ) {

header("Location: http://www.google.com");

}

No.

 

The code says if $My_Var_Name IS NOT EQUAL TO SmVzdXM= then send the viewer to google.

 

The only way that theoretically can happen is if you haven't been to the index page first.

 

If your admin is behind a .htaccess file this code protection isn't necessary.

 

If you copied the code just as it is I really can't explain why it's not working for you.

:unsure:

[bobsi18]

But when I try to access the define mainpage link from admin panel - I am also re-directed to google. Im not a coder at all, and infact know very little about php, but isnt the statement below telling the system that if the variable My_Var_Name = 'SmVzdXM=' then goto google?

 

I also had the same problem. On my local version of my site, this redirection worked as expected, however on my server version of the website, it just redirects to google!

 

Am I right that assuming that, as I have a .htaccess file protecting the admin, there is no need to worry about define_mainpage.php etc? (I have deleted define_languages.php).