phpwcms needs testing
Posted: Sat 28. Nov 2015, 20:57
Hey guys,
I have committed massive updates to the dev-1.x branch.
This needs testing and your issues in case of any unwanted behaviour. What I have implemented is CSRF protection. It is semi automatic for forms and most backend URLs. But some of your modules might need an update too. It's no longer possible (it shouldn't) to link from outside to anywhere in the backend without a valid CSRF token.
Every POST or GET action should proof its validity. See the new session helpers. It is not well documented at the moment. But I guess the funtion names are self explaining. The most important functions for your work is:
Related to this topic and also to the changes I have made regarding file uploads and inline PHP you will see vulnerabilities reported next week.
And here is the official release candidate RC2
https://github.com/slackero/phpwcms/rel ... -1.8.0-RC2
[UPDATE 2015-12-11] The disclosed security advisories:
https://blog.curesec.com/article/blog/p ... n-122.html
https://blog.curesec.com/article/blog/p ... F-123.html
I have committed massive updates to the dev-1.x branch.
This needs testing and your issues in case of any unwanted behaviour. What I have implemented is CSRF protection. It is semi automatic for forms and most backend URLs. But some of your modules might need an update too. It's no longer possible (it shouldn't) to link from outside to anywhere in the backend without a valid CSRF token.
Every POST or GET action should proof its validity. See the new session helpers. It is not well documented at the moment. But I guess the funtion names are self explaining. The most important functions for your work is:
Code: Select all
validate_csrf_tokens();
validate_csrf_get_token('csrftoken');
get_token_get_string('csrftoken');
And here is the official release candidate RC2
https://github.com/slackero/phpwcms/rel ... -1.8.0-RC2
[UPDATE 2015-12-11] The disclosed security advisories:
https://blog.curesec.com/article/blog/p ... n-122.html
https://blog.curesec.com/article/blog/p ... F-123.html