Page 1 of 1

phpwcms needs testing

Posted: Sat 28. Nov 2015, 20:57
by Oliver Georgi
Hey guys,

I have committed massive updates to the dev-1.x branch.

This needs testing and your issues in case of any unwanted behaviour. What I have implemented is CSRF protection. It is semi automatic for forms and most backend URLs. But some of your modules might need an update too. It's no longer possible (it shouldn't) to link from outside to anywhere in the backend without a valid CSRF token.

Every POST or GET action should proof its validity. See the new session helpers. It is not well documented at the moment. But I guess the funtion names are self explaining. The most important functions for your work is:

Code: Select all

validate_csrf_tokens();
validate_csrf_get_token('csrftoken');
get_token_get_string('csrftoken');
Related to this topic and also to the changes I have made regarding file uploads and inline PHP you will see vulnerabilities reported next week.

And here is the official release candidate RC2
https://github.com/slackero/phpwcms/rel ... -1.8.0-RC2

[UPDATE 2015-12-11] The disclosed security advisories:
https://blog.curesec.com/article/blog/p ... n-122.html
https://blog.curesec.com/article/blog/p ... F-123.html

Re: phpwcms needs testing

Posted: Wed 2. Dec 2015, 07:44
by Oliver Georgi
Is it that stable? Nobody? No issue?

Re: phpwcms needs testing

Posted: Wed 2. Dec 2015, 12:26
by update
It is running at the testsite for the docu and stable so far. Jürgen?

Re: phpwcms needs testing

Posted: Wed 2. Dec 2015, 12:48
by Old Boy
Wenn ich im CP News - selbst ohne jede Änderung - Aktualisieren oder Speichern anklicke, erfolgt folgende Meldung auf weissem Bildschirm:

Code: Select all

Fatal error: No CSRF GET token found, probable invalid request. in /www/htdocs/1234567890/xxxxx.de/include/inc_lib/helper.session.php on line 487
Bei einer vorgenommenen Änderung im CP News, ist diese - trotz Fehlermeldung - im FrontEnd allerdings umgesetzt ?!

Re: phpwcms needs testing

Posted: Wed 2. Dec 2015, 13:45
by Oliver Georgi
warum dann kein Issue :) it's a bug, no feature then.

Kann es aber nicht nachvollziehen. Bitte wenn möglich auf GitHub entsprechend nachvollziehbar dokumentieren alternativ hier. GitHub geht auch easy mit Screenshots. Gefixt!