phpwcms needs testing

Read me first before posting anywhere!
Post Reply
User avatar
Oliver Georgi
Site Admin
Posts: 9492
Joined: Fri 3. Oct 2003, 22:22
Location: Dessau
Contact:

phpwcms needs testing

Post by Oliver Georgi » Sat 28. Nov 2015, 20:57

Hey guys,

I have committed massive updates to the dev-1.x branch.

This needs testing and your issues in case of any unwanted behaviour. What I have implemented is CSRF protection. It is semi automatic for forms and most backend URLs. But some of your modules might need an update too. It's no longer possible (it shouldn't) to link from outside to anywhere in the backend without a valid CSRF token.

Every POST or GET action should proof its validity. See the new session helpers. It is not well documented at the moment. But I guess the funtion names are self explaining. The most important functions for your work is:

Code: Select all

validate_csrf_tokens();
validate_csrf_get_token('csrftoken');
get_token_get_string('csrftoken');
Related to this topic and also to the changes I have made regarding file uploads and inline PHP you will see vulnerabilities reported next week.

And here is the official release candidate RC2
https://github.com/slackero/phpwcms/rel ... -1.8.0-RC2

[UPDATE 2015-12-11] The disclosed security advisories:
https://blog.curesec.com/article/blog/p ... n-122.html
https://blog.curesec.com/article/blog/p ... F-123.html
Last edited by Oliver Georgi on Sun 13. Dec 2015, 13:50, edited 1 time in total.
Reason: phpwcms 1.8.0 released
Oliver Georgi | phpwcms Developer | GitHub | LinkedIn | Kleintierpraxis am Georgengarten

User avatar
Oliver Georgi
Site Admin
Posts: 9492
Joined: Fri 3. Oct 2003, 22:22
Location: Dessau
Contact:

Re: phpwcms needs testing

Post by Oliver Georgi » Wed 2. Dec 2015, 07:44

Is it that stable? Nobody? No issue?
Oliver Georgi | phpwcms Developer | GitHub | LinkedIn | Kleintierpraxis am Georgengarten

User avatar
update
Moderator
Posts: 6381
Joined: Mon 10. Jan 2005, 17:29
Location: germany / outdoor

Re: phpwcms needs testing

Post by update » Wed 2. Dec 2015, 12:26

It is running at the testsite for the docu and stable so far. Jürgen?
It's mostly all about webdesign, logo design, new and old pages refresh, print BUT slowly switching to be supporter for the band Mykket Morton. Visit Mykket Morton on FB. Listen Mykket Morton and live videos on youtube.

Old Boy
Posts: 1055
Joined: Fri 23. Nov 2012, 13:52

Re: phpwcms needs testing

Post by Old Boy » Wed 2. Dec 2015, 12:48

Wenn ich im CP News - selbst ohne jede Änderung - Aktualisieren oder Speichern anklicke, erfolgt folgende Meldung auf weissem Bildschirm:

Code: Select all

Fatal error: No CSRF GET token found, probable invalid request. in /www/htdocs/1234567890/xxxxx.de/include/inc_lib/helper.session.php on line 487
Bei einer vorgenommenen Änderung im CP News, ist diese - trotz Fehlermeldung - im FrontEnd allerdings umgesetzt ?!

User avatar
Oliver Georgi
Site Admin
Posts: 9492
Joined: Fri 3. Oct 2003, 22:22
Location: Dessau
Contact:

Re: phpwcms needs testing

Post by Oliver Georgi » Wed 2. Dec 2015, 13:45

warum dann kein Issue :) it's a bug, no feature then.

Kann es aber nicht nachvollziehen. Bitte wenn möglich auf GitHub entsprechend nachvollziehbar dokumentieren alternativ hier. GitHub geht auch easy mit Screenshots. Gefixt!
Oliver Georgi | phpwcms Developer | GitHub | LinkedIn | Kleintierpraxis am Georgengarten

Post Reply