|
In-Portal Issue Tracker - In-Portal CMS
|
|
Viewing Issue Advanced Details |
|
|
ID:
|
Category:
|
Type:
|
Reproducibility:
|
Date Submitted:
|
Last Update:
|
|
159 |
[In-Portal CMS] Security |
bug report |
always |
2009-07-31 02:45 |
2009-10-03 07:56 |
|
|
Reporter:
|
alex |
Platform:
|
|
|
|
Assigned To:
|
Dmitry |
OS:
|
|
|
|
Priority:
|
critical |
OS Version:
|
|
|
|
Status:
|
closed |
Product Version:
|
4.3.9 |
|
|
Product Build:
|
|
Resolution:
|
fixed |
|
| |
|
ETA:
|
none |
Fixed in Version:
|
5.0.1 |
|
|
Reference:
|
|
|
Change Log Message:
|
|
|
Estimate Points:
|
0 |
|
|
Summary:
|
0000159: Prevent of Execution of System Files of files other, then "index.php" and "admin/index.php" |
|
Description:
|
Currently there is possible to execute individual In-Portal files. Usually people doesn't do that, but just in case I propose to add mentioned later code to all files with ".php" extension, that doesn't contain class declarations or are unit configs.
Code: defined('FULL_PATH') or die('restricted access!'); |
|
Steps To Reproduce:
|
|
|
Additional Information:
|
|
| Relationships | |
|
Attached Files:
|
|
|
|
Issue History |
|
Date Modified |
Username |
Field |
Change |
|
2009-10-03 07:56 |
administrator |
Note Added: 0000709 |
|
|
2009-10-03 07:56 |
administrator |
Status |
resolved => closed |
|
2009-10-03 07:29 |
administrator |
Type |
@60@ => bug report |
|
2009-08-18 00:45 |
Dmitry |
Changeset attached |
5.0.x r12329 |
|
2009-08-16 21:19 |
Dmitry |
Note Added: 0000327 |
|
|
2009-08-16 21:19 |
Dmitry |
Status |
reviewed and tested => resolved |
|
2009-08-16 21:19 |
Dmitry |
Fixed in Version |
=> 5.0.1 |
|
2009-08-16 21:19 |
Dmitry |
Resolution |
reopened => fixed |
|
2009-08-16 21:07 |
Dmitry |
Description Updated |
bug_revision_view_page.php?rev_id=179#r179 |
|
2009-08-16 20:58 |
Dmitry |
Note Added: 0000323 |
|
|
2009-08-16 20:54 |
Dmitry |
Changeset attached |
5.0.x r12305 |
|
2009-08-16 20:54 |
Dmitry |
Changeset attached |
5.0.x r12304 |
|
2009-08-16 20:54 |
Dmitry |
Changeset attached |
5.0.x r12303 |
|
2009-08-16 20:53 |
Dmitry |
Changeset attached |
5.0.x r12302 |
|
2009-08-16 20:53 |
Dmitry |
Changeset attached |
1.0.x r12301 |
|
2009-08-16 20:53 |
Dmitry |
Changeset attached |
5.0.x r12300 |
|
2009-08-16 20:51 |
Dmitry |
Changeset attached |
5.0.x r12299 |
|
2009-08-14 23:23 |
Dmitry |
Changeset attached |
5.0.x r12288 |
|
2009-08-14 13:12 |
Dmitry |
Changeset attached |
5.0.x r12287 |
|
2009-08-14 13:12 |
Dmitry |
Changeset attached |
5.0.x r12286 |
|
2009-08-14 13:12 |
Dmitry |
Changeset attached |
5.0.x r12285 |
|
2009-08-13 21:26 |
Dmitry |
Changeset attached |
5.0.x r12284 |
|
2009-08-13 21:24 |
Dmitry |
Changeset attached |
5.0.x r12283 |
|
2009-08-11 13:59 |
Dmitry |
Changeset attached |
5.0.x r12273 |
|
2009-08-10 17:26 |
Dmitry |
Status |
needs work => reviewed and tested |
|
2009-08-10 17:25 |
Dmitry |
Status |
needs feedback => needs work |
|
2009-08-10 17:25 |
Dmitry |
Note Added: 0000300 |
|
|
2009-08-10 17:25 |
Dmitry |
Status |
resolved => needs feedback |
|
2009-08-10 17:25 |
Dmitry |
Resolution |
fixed => reopened |
|
2009-08-10 17:24 |
Dmitry |
Note Added: 0000299 |
|
|
2009-08-10 17:24 |
Dmitry |
Changeset attached |
5.0.x r12260 |
|
2009-08-10 17:24 |
Dmitry |
Note Added: 0000298 |
|
|
2009-08-10 17:24 |
Dmitry |
Status |
reviewed and tested => resolved |
|
2009-08-10 17:24 |
Dmitry |
Resolution |
open => fixed |
|
2009-08-10 17:24 |
Dmitry |
Assigned To |
alex => Dmitry |
|
2009-08-10 17:24 |
Dmitry |
Changeset attached |
5.0.x r12259 |
|
2009-08-10 17:09 |
Dmitry |
Note Added: 0000297 |
|
|
2009-08-10 17:08 |
Dmitry |
Status |
needs work => reviewed and tested |
|
2009-08-10 17:08 |
Dmitry |
Assigned To |
Dmitry => alex |
|
2009-08-10 16:18 |
alex |
Assigned To |
alex => Dmitry |
|
2009-08-10 16:17 |
alex |
Note Added: 0000296 |
|
|
2009-08-10 16:17 |
alex |
Status |
needs feedback => needs work |
|
2009-08-09 23:15 |
Dmitry |
Changeset attached |
5.0.x r12258 |
|
2009-08-09 23:15 |
Dmitry |
Changeset attached |
5.0.x r12257 |
|
2009-08-09 23:14 |
Dmitry |
Changeset attached |
5.0.x r12256 |
|
2009-08-09 23:12 |
Dmitry |
Changeset attached |
5.0.x r12255 |
|
2009-08-09 23:12 |
Dmitry |
Changeset attached |
5.0.x r12254 |
|
2009-08-09 23:11 |
Dmitry |
Changeset attached |
5.0.x r12253 |
|
2009-08-09 23:11 |
Dmitry |
Changeset attached |
5.0.x r12252 |
|
2009-08-09 23:10 |
Dmitry |
Changeset attached |
5.0.x r12251 |
|
2009-08-09 23:09 |
Dmitry |
Changeset attached |
1.0.x r12250 |
|
2009-08-09 22:33 |
Dmitry |
Summary |
Add checks to prevent execution of files other, then "index.php" and "admin/index.php" => Prevent of Execution of System Files of files other, then "index.php" and "admin/index.php" |
|
2009-08-09 18:13 |
Dmitry |
Note Added: 0000294 |
|
|
2009-08-09 18:13 |
Dmitry |
Assigned To |
Dmitry => alex |
|
2009-08-09 18:13 |
Dmitry |
Status |
reviewed and tested => needs feedback |
|
2009-08-09 18:12 |
Dmitry |
Note Added: 0000293 |
|
|
2009-08-03 15:13 |
Dmitry |
Assigned To |
=> Dmitry |
|
2009-08-03 15:13 |
Dmitry |
Status |
active => reviewed and tested |
|
2009-07-31 14:11 |
Dmitry |
Note Added: 0000206 |
|
|
2009-07-31 14:11 |
Dmitry |
Priority |
normal => critical |
|
2009-07-31 14:11 |
Dmitry |
Type |
bug report => @60@ |
|
2009-07-31 14:11 |
Dmitry |
Target Version |
=> 5.0.1 |
|
2009-07-31 02:45 |
alex |
New Issue |
|
|
Notes |
|
|
(0000206)
|
|
Dmitry
|
|
2009-07-31 14:11
|
|
We need to research on options when we use - ALL PHP files (classes and so on) or just standalone files (as described in this Task)
# Check to ensure this file is loaded within the rest of the framework
defined('FULL_PATH') or die('This file is a part of In-Portal); |
|
|
|
(0000293)
|
|
Dmitry
|
|
2009-08-09 18:12
|
|
After further research, the following actions should be taken:
1. Plant .htaccess (with "Deny from all") in
- core/units, core/kernel, core/install
- [module]/units, [module]/install
- admin/system_presets (for site configs)
2. Add check
defined('FULL_PATH') or die('This file is a part of In-Portal');
to
a. all Classes,
b. all /install.php files inside:
[CODE]
else {
// install, using installation wizard
$toolkit =& $this->toolkit;
/* @var $toolkit kInstallToolkit */
}
[/CODE]
3. Move tools/.htaccess to root of installation .htaccess-dist
4. Rename system/.htaccess-sample to system/.htaccess file. |
|
|
|
(0000294)
|
|
Dmitry
|
|
2009-08-09 18:13
|
|
|
What you think on this? This will add more security on the rest of the system. |
|
|
|
(0000296)
|
|
alex
|
|
2009-08-10 16:17
|
|
|
|
|
(0000297)
|
|
Dmitry
|
|
2009-08-10 17:09
|
|
Alex,
Please add a check inside ALL modules Install.php script to make sure ONLY "root" user is allowed to perform the installation (fully run install.php file) and all other requests die. |
|
|
|
(0000298)
|
|
Dmitry
|
|
2009-08-10 17:24
|
|
Fix committed to 5.0.x branch. Commit Message:
1. Fixes 0000159: Prevent of Execution of System Files of files other, then "index.php" and "admin/index.php"
2. Added exclusion for Debugger |
|
|
|
(0000299)
|
|
Dmitry
|
|
2009-08-10 17:24
|
|
Fix committed to 5.0.x branch. Commit Message:
1. Fixes 0000159: Prevent of Execution of System Files of files other, then "index.php" and "admin/index.php"
2. Minor changes |
|
|
|
(0000300)
|
|
Dmitry
|
|
2009-08-10 17:25
|
|
|
Ups Resolved by mistake - reopening |
|
|
|
(0000323)
|
|
Dmitry
|
|
2009-08-16 20:58
|
|
Added security check " defined('FULL_PATH') or die('restricted access!'); "
1. Tests shown that we have about 450 defined checked which execute in
Did in 0.0003969669342041 - 0.0004969669342041 seconds
2. Taking into account that we'll grow and can reach easily 1000, it showed execution in ~0.008 sec. |
|
|
|
(0000327)
|
|
Dmitry
|
|
2009-08-16 21:19
|
|
|
|
|
|
|
Closing issues from 5.0.1 version, because version was already released. |
|