For fix hook problem in file editInplace.php, change:
<?php if(isset($_REQUEST['hook']))include($_REQUEST['hook']); ?>
to:
<?php session_start();if(is_loggedin() and isset($_REQUEST['hook'])){include($_REQUEST['hook']);}else{echo"ERROR";}
function is_loggedin(){if(isset($_SESSION['l'])) return ...
Search found 4 matches
- Thu Jan 22, 2015 12:08 pm
- Forum: 0.6.X beta support
- Topic: Fix password md5 show
- Replies: 2
- Views: 12693
- Thu Jan 22, 2015 11:44 am
- Forum: 0.6.X beta support
- Topic: Security Vulnerabilities
- Replies: 10
- Views: 98163
Re: Security Vulnerabilities
Hice... 
Hard fix this problems, after getting page name:
Add cuts all symbols, except A-Z, a-z and '-':
Example:
http://igorkov.org/%3Cscript%3Ealert%28 ... /script%3E
Hard fix this problems, after getting page name:
Code: Select all
$rp = isset($_REQUEST['page']) ? $_REQUEST['page'] : '';Code: Select all
$rp = preg_replace('/[^a-zA-Z0-9-]/', '', $rp);http://igorkov.org/%3Cscript%3Ealert%28 ... /script%3E
- Thu Dec 11, 2014 7:39 pm
- Forum: 0.6.X beta support
- Topic: Fix password md5 show
- Replies: 2
- Views: 12693
Re: Fix password md5 show
And next link:
Also must be fixed.
Code: Select all
http://wondercms.com/labs/06beta/js/editInplace.php?hook=../files/password- Tue Oct 28, 2014 3:31 pm
- Forum: 0.6.X beta support
- Topic: Fix password md5 show
- Replies: 2
- Views: 12693
Fix password md5 show
Sample:
http://wondercms.com/labs/06beta/password
This is not good, because md5 not strong algorithm, and can be brutеforce.
For fix it (and other system pages):
$denypages = array("copyright", "description", "keywords", "menu", "password", "subside", "themeSelect", "title");
And before ...
http://wondercms.com/labs/06beta/password
This is not good, because md5 not strong algorithm, and can be brutеforce.
For fix it (and other system pages):
$denypages = array("copyright", "description", "keywords", "menu", "password", "subside", "themeSelect", "title");
And before ...