{PHP:http://www.mysite.com/index.php?id=1,5,0,0,1}: works?

[sustia]

Hi, I have trying to put some inclusion in my home page with {PHP} replacement tag, but seems it doesn't works:

I try this code:

Code: Select all

{PHP:http://www.gabriellagramegna.it/index.php?id=1,5,0,0,1,0}

It's correct or I wrong something?

[Oliver Georgi]

This does not work anymore because of security problems. But you can use something like this by creating a new php script like "myextpage.php":

<?php
//include remote URL
include ('http://www.gabriellagramegna.it/index.p ... ,5,0,0,1,0');
?>

Then use the replacement tag {PHP:myextpage.php}.

Maybe I should implement a new config var that allows remote URL based on user's choice.

Oliver

[sustia]

Great, it works

Thanks Oliver!

[Oliver Georgi]

I have patched phpwcms for the new value in conf.inc.php - but test it. It might be unsecure when somebody is able to inject your install via search form field. Please test!!!

The changed source is available within some hours via CVS or change manually:

front.func.inc.php replace this function around line 1071:

Code: Select all

function include_ext_php($inc_file, $t=0) {
	// includes an external PHP script file and returns
	// the result as string from buffered include content
	$ext_php_content = '';
	
	//check if this is a local file
	if(is_file($inc_file)) {
	
		if(!$t) {
			$this_path = str_replace("\\", '/', dirname(realpath($inc_file)));
			$this_path = preg_replace('/\/$/', '', $this_path);
		
			$root_path = str_replace("\\", '/', PHPWCMS_ROOT);
			$root_path = preg_replace('/\/$/', '', $root_path);
			
			if(strpos($this_path, $root_path) === 0) $t = 1;
		}
	} else {
		
		if(!$t) {
			//if remote URL is allowed in conf.inc.php
			if(intval($GLOBALS['phpwcms']['allow_remote_URL'])) $t =1;
		}
		
	}
	
	if($t) {
		ob_start();
		include($inc_file);
		$ext_php_content = ob_get_contents();
		ob_end_clean();
	}
	
	return $ext_php_content;
}

Add the following value to your conf.inc.php:

Code: Select all

$phpwcms["allow_remote_URL"]  = 0; //0 = no remote URL in {PHP:...} replacement tag allowed, 1 = allowed

Oliver

[sustia]

Hi Oliver, the code works fine.

I have patched phpwcms for the new value in conf.inc.php - but test it. It might be unsecure when somebody is able to inject your install via search form field. Please test!!!
Oliver

You intend to say to put something like this in the search form?

Code: Select all

http://www.gabriellagramegna.it/setup/setup.php

I try to inject this, but nothing happens.
I try too to inject with the absolute path, but there's no problem.

If you intend to say something different please, tell me what

Thanks as always.
Angelo

[Oliver Georgi]

No has nothing to do with this.

There was a security problem when you try to insert something like this in the search field {PHP:http://www.dobad.com/return_injection_code.php}

Oliver

[sustia]

Well, I'm not a security expert, but I try.

I do a page with this code:

Code: Select all

SELECT * FROM `phpwcms_user` WHERE  usr_login='mylogin'

and save in a page (myinjection.php).

Then, from the search field I try this:

Code: Select all

{PHP:http://www.mysite.com/myinjection.php}

But I'm not sure that this is the right way to try.

[Oliver Georgi]

It isn't but I will not post a sample here.

But if you use a current release - there isn't the problem anymore.

check what happens if you just use {PHP:jdfjdahfjadh} - after pressing search the search field should filled with "jdfjdahfjadh". If so - no security problem

Oliver

[sustia]

Yes I use the current release

check what happens if you just use {PHP:jdfjdahfjadh} - after pressing search the search field should filled with "jdfjdahfjadh". If so - no security problem

Oliver

It's so Oliver

[art777]

This does not work anymore because of security problems. But you can use something like this by creating a new php script like "myextpage.php":

<?php
//include remote URL
include ('http://www.gabriellagramegna.it/index.p ... ,5,0,0,1,0');
?>

Then use the replacement tag {PHP:myextpage.php}.

Maybe I should implement a new config var that allows remote URL based on user's choice.

Oliver

This does not work... Maybe I don't this understand...

I work:

1. I want have content http://info.cms.to.pl/index.php?id=1,1,0,0,1,0 in left column in "templates".
2. Make file newsy.php (in root - http://info.cms.to.pl/newsy.php )

Code: Select all

<?php 
//include remote URL 
include ('http://info.cms.to.pl/index.php?id=1,1,0,0,1,0'); 
?> 

3. In "templates - left" set:

Code: Select all

{NAV_TABLE_SIMPLE}<br><br>
{PHP:newsy.php}

4. and in left column - http://info.cms.to.pl/index.php?id=1,1,0,0,1,0

Code: Select all

Warning: main(http://info.cms.to.pl/index.php?id=1,1,0,0,1,0): failed to open stream: HTTP request failed! D_FâŠ1$[7FZ7F in /home/dealer/main/pkg/cms/info/html/newsy.php on line 3

Warning: main(): Failed opening 'http://info.cms.to.pl/index.php?id=1,1,0,0,1,0' for inclusion (include_path='.:/usr/lib/php') in /home/dealer/main/pkg/cms/info/html/newsy.php on line 3

And in conf.inc.php I added:

Code: Select all

$phpwcms["allow_remote_URL"]  = 1; //0 = no remote URL in {PHP:...} replacement tag allowed, 1 = allowed

What I work wrong (phpwcms_1.1-RC4_2004-05-22 - new install)

[Oliver Georgi]

1. you have to extend the function for including external php files as posted above
2. if you set allow_remote_URL it is enough to use {PHP:http://info.cms.to.pl/index.php?id=1,1,0,0,1,0}

Oliver

[art777]

I change

Code: Select all

{NAV_TABLE_SIMPLE}<br><br>
{PHP:newsy.php}

to:

Code: Select all

{NAV_TABLE_SIMPLE}<br><br>
{PHP:http://info.cms.to.pl/index.php?id=1,1,0,0,1,0}

in conf.inc.php still is:

Code: Select all

$phpwcms["allow_remote_URL"]  = 1; 

and on site is blank (left column) - http://info.cms.to.pl/index.php?id=1,0,0,1,0,0

[Oliver Georgi]

But did you do this:
http://www.phpwcms.de/forum/viewtopic.php?p=12808#12808

For me - it works - but it's false to include content this way because you will get double <body> and so on...

Oliver

[art777]

How to any other way insert any content (from phpwcms) into template (not to {CONTENT} )??

[Oliver Georgi]

It's in preparation. But not easy possible at the moment. There was a hack for this somewhere in this forum.

Oliver