phpwcms needs testing

[Oliver Georgi]

Hey guys,

I have committed massive updates to the dev-1.x branch.

This needs testing and your issues in case of any unwanted behaviour. What I have implemented is CSRF protection. It is semi automatic for forms and most backend URLs. But some of your modules might need an update too. It's no longer possible (it shouldn't) to link from outside to anywhere in the backend without a valid CSRF token.

Every POST or GET action should proof its validity. See the new session helpers. It is not well documented at the moment. But I guess the funtion names are self explaining. The most important functions for your work is:

Code: Select all

validate_csrf_tokens();
validate_csrf_get_token('csrftoken');
get_token_get_string('csrftoken');

Related to this topic and also to the changes I have made regarding file uploads and inline PHP you will see vulnerabilities reported next week.

And here is the official release candidate RC2
https://github.com/slackero/phpwcms/rel ... -1.8.0-RC2

[UPDATE 2015-12-11] The disclosed security advisories:
https://blog.curesec.com/article/blog/p ... n-122.html
https://blog.curesec.com/article/blog/p ... F-123.html

[Oliver Georgi]

Is it that stable? Nobody? No issue?

[update]

It is running at the testsite for the docu and stable so far. Jürgen?

[Old Boy]

Wenn ich im CP News - selbst ohne jede Änderung - Aktualisieren oder Speichern anklicke, erfolgt folgende Meldung auf weissem Bildschirm:

Code: Select all

Fatal error: No CSRF GET token found, probable invalid request. in /www/htdocs/1234567890/xxxxx.de/include/inc_lib/helper.session.php on line 487

Bei einer vorgenommenen Änderung im CP News, ist diese - trotz Fehlermeldung - im FrontEnd allerdings umgesetzt ?!

[Oliver Georgi]

warum dann kein Issue it's a bug, no feature then.

Kann es aber nicht nachvollziehen. Bitte wenn möglich auf GitHub entsprechend nachvollziehbar dokumentieren alternativ hier. GitHub geht auch easy mit Screenshots. Gefixt!