Jump to content


  • Posts

  • Joined

  • Last visited

Everything posted by neildaemond

  1. Hey Ya'll, Just for fun, I'm going to do a Security Analysis on Processwire by following the principles in Hacking Exposed 3 - Web Applications. I think It'll be nice to show my clients a final summary to help reassure them how secure things are, while giving me some credibility for being security conscious~ Anyways, I'm kind of busy these days, so it won't be updated too often, and of course I'll let The PW team fix any issues prior to releasing any security holes. BUT, if your interested, the feel free to subscribe to the RSS feed for this topic.. otherwise you can find it here: http://neilpahl.com/logs/security-projects-public/processwire-cms-security-analysis/ if there is any interest, I'll make an email subscription available for this topic feed~ Let me know if there is any specific area you feel the security should be looked at more closely... Cheers,
  2. Sorry for spamming this thread, but I wanted to say that this problem sorted itself out in a strange way. I installed a custom admin theme, then it didn't work either. Then I deleted the site/templates-admin folder via ftp. while it was deleting I refreshed the page, got some errors.. kept refreshing it until the folder was gone. Then, magically, the default theme worked just fine. very strange, but I'm glad I got it out of that funky state. Thanks all for your help.
  3. I usually scp it if I have ssh access it as well, but I just wanted to make sure there wasn't any "Magic" that I missed out on by not installing it... Thanks for your responses guys Happened to me too!
  4. oops, not quite fixed. The tinyMCE body field is now just html markup and not the nice UI as it once was. Looks like I'll have to find the root cause after all~
  5. not really sure why the jquery module wasn't loading the jquerycore, but I thought I'd just load it manually. I hacked the admin-template/default.php, changing the section: $config->styles->prepend($config->urls->adminTemplates . "styles/main.css"); $config->styles->append($config->urls->adminTemplates . "styles/ui.css?v=1"); $config->scripts->append($config->urls->adminTemplates . "scripts/main.js"); to $config->scripts->prepend($config->urls->adminTemplates . "scripts/JqueryCore.js"); $config->styles->append($config->urls->adminTemplates . "styles/main.css"); $config->styles->append($config->urls->adminTemplates . "styles/ui.css?v=1"); $config->scripts->append($config->urls->adminTemplates . "scripts/main.js"); and copied the JqueryCore.js into admin-templates/styles/ works now
  6. So, I figured it out. Recently, I was playing around with Attracta services provided by my web host... and 2 weeks or so later (when I noticed this issue), the inline adds must have kicked into gear. It kept trying to GET a .js file from kona.kontera.com which seemed to mess everything up. i removed a .fastinclude file from my public_html folder and now it works okay, YAY! now to debug this one...
  7. I too am thinking about switching to ngynx, can't wait to see the full documentation on this! But I'll tinker as well and report back what I find.
  8. When you guys move a site from staging to live for the first time (lets say the live site is on another web host server), do you need to install pw on that server first, then import the database and change the templates? or do you copy over the files from the staging root, export the staging database, and import the database into the live database? (ie: do you skip the installation step?) I have an issue with my admin section after starting a new live site, where I skipping the pw installation step and am wondering if that could have caused it. Edit: I usually use the same database name, username and password on staging and live for synchronization convenience.
  9. you wouldn't believe my luck, I created another site on a different machine and web host, and its doing something similar without even loading the arrow gif... but in that case chrome dev tools console gave me the errors that $ is undefined in the .js files... I think it's because jquery isn't loading properly. As for the site mentioned originally, chrome dev tools aren't showing any errors, the 'Network' tab shows everything transfered ok, but stops at the arrow gif loading.. This problem wasn't too urgent for me, so I haven't had much time to figure out the cause. I should have time over the next 2 days or so... and will keep you guys posted
  10. it was all working fine, I had my pw admin logged in but in another tab in my browser. then after, I went to go add a page and found that the nice jquery list of pages weren't showing. The page was stuck on the animated arrow which is shown while its loading. I tried login out and in, clearing cache of my browser. It is working fine for other PW sites I have (running on different hosts), and It shows the same symptoms on my mobile device. Any ideas as to how it could have reached this state?
  11. if anyone knows if any of these use mysqli, that would be helpful: Cahoots (Included with software as of version 2) Contenido CMS (Deutsch) Coppermine Photo Gallery DokuWiki Drupal ExpressionEngine Flatpress Geeklog MediaWiki NucleusCMS Pixie CMS (included with software) PmWiki SMF (Simple Machines Forum) Sphinx CMS Subdreamer CMS (Included with software) vBulletin 3.8 vBulletin 4.x WordPress Zikula (formerly PostNuke)
  12. Hey thanks for giving me some direction with this, I will investigate further
  13. I stumbled across bad-behavior spam blocker today and I'm trying to port it to Processwire. It looks like a decent service which is natively used in some other cms's and php apps. out of the box, this service is supposed to work by downloading and unzipping the files to somewhere accessible, then adding require_once("/path/to/Bad-Behavior/bad-behavior-generic.php"); To your pages. I added it at the top of PW's index.php. So, its supposed to be working (although I can't yet tell ). However, its supposed to work even better if you can give it a database to enable logging. To do this, one has to add the mysql hooks into the bad-behavior-generic.php file. I think these are the lines that need to be modified: // Bad Behavior callback functions. // Return current time in the format preferred by your database. function bb2_db_date() { return gmdate('Y-m-d H:i:s'); // Example is MySQL format } // Return affected rows from most recent query. function bb2_db_affected_rows() { return false; } // Escape a string for database usage function bb2_db_escape($string) { // return mysql_real_escape_string($string); return $string; // No-op when database not in use. } // Return the number of rows in a particular query. function bb2_db_num_rows($result) { if ($result !== FALSE) return count($result); return 0; } // Run a query and return the results, if any. // Should return FALSE if an error occurred. // Bad Behavior will use the return value here in other callbacks. function bb2_db_query($query) { return FALSE; } // Return all rows in a particular query. // Should contain an array of all rows generated by calling mysql_fetch_assoc() // or equivalent and appending the result of each call to an array. function bb2_db_rows($result) { return $result; } // Create the SQL query for inserting a record in the database. // See example for MySQL elsewhere. function bb2_insert($settings, $package, $key) { return "--"; } // Return emergency contact email address. function bb2_email() { return "example@example.com"; // You need to change this. } // retrieve whitelist function bb2_read_whitelist() { return @parse_ini_file(dirname(BB2_CORE) . "/whitelist.ini"); } // retrieve settings from database // Settings are hard-coded for non-database use function bb2_read_settings() { global $bb2_settings_defaults; $settings = @parse_ini_file(dirname(__FILE__) . "/settings.ini"); if (!$settings) $settings = array(); return @array_merge($bb2_settings_defaults, $settings); } // write settings to database function bb2_write_settings($settings) { return false; } // installation function bb2_install() { return false; } but I couldnt tell how to call the PW mysql hooks. For reference, the sample version for wordpress (bad-behavior-wordpress.php) looked like: <?php /* Plugin Name: Bad Behavior Version: 2.2.3 Description: Deny automated spambots access to your PHP-based Web site. Plugin URI: http://bad-behavior.ioerror.us/ Author: Michael Hampton Author URI: http://bad-behavior.ioerror.us/ License: LGPLv3 Bad Behavior - detects and blocks unwanted Web accesses Copyright (C) 2005,2006,2007,2008,2009,2010,2011,2012 Michael Hampton Bad Behavior is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. Please report any problems to bad . bots AT ioerror DOT us http://www.bad-behavior.ioerror.us/ */ ############################################################################### ############################################################################### if (!defined('ABSPATH')) die("No cheating!"); global $bb2_result; $bb2_mtime = explode(" ", microtime()); $bb2_timer_start = $bb2_mtime[1] + $bb2_mtime[0]; define('BB2_CWD', dirname(__FILE__)); // Bad Behavior callback functions. require_once("bad-behavior-mysql.php"); // Return current time in the format preferred by your database. function bb2_db_date() { return get_gmt_from_date(current_time('mysql')); } // Return affected rows from most recent query. function bb2_db_affected_rows() { global $wpdb; return $wpdb->rows_affected; } // Escape a string for database usage function bb2_db_escape($string) { global $wpdb; return $wpdb->escape($string); } // Return the number of rows in a particular query. function bb2_db_num_rows($result) { if ($result !== FALSE) return count($result); return 0; } // Run a query and return the results, if any. // Should return FALSE if an error occurred. // Bad Behavior will use the return value here in other callbacks. function bb2_db_query($query) { global $wpdb; $wpdb->hide_errors(); $result = $wpdb->get_results($query, ARRAY_A); if ( defined('WP_DEBUG') and WP_DEBUG == true ) $wpdb->show_errors(); if (mysql_error()) { return FALSE; } return $result; } // Return all rows in a particular query. // Should contain an array of all rows generated by calling mysql_fetch_assoc() // or equivalent and appending the result of each call to an array. // For WP this is pretty much a no-op. function bb2_db_rows($result) { return $result; } // Return emergency contact email address. function bb2_email() { return get_bloginfo('admin_email'); } // retrieve whitelist function bb2_read_whitelist() { return get_option('bad_behavior_whitelist'); } // retrieve settings from database function bb2_read_settings() { global $wpdb; // Add in default settings when they aren't yet present in WP $settings = get_option('bad_behavior_settings'); if (!$settings) $settings = array(); return array_merge(array('log_table' => $wpdb->prefix . 'bad_behavior', 'display_stats' => true, 'strict' => false, 'verbose' => false, 'logging' => true, 'httpbl_key' => '', 'httpbl_threat' => '25', 'httpbl_maxage' => '30', 'offsite_forms' => false, 'reverse_proxy' => false, 'reverse_proxy_header' => 'X-Forwarded-For', 'reverse_proxy_addresses' => array(),), $settings); } // write settings to database function bb2_write_settings($settings) { update_option('bad_behavior_settings', $settings); } // installation function bb2_install() { $settings = bb2_read_settings(); if (!$settings['logging']) return; bb2_db_query(bb2_table_structure($settings['log_table'])); } // Cute timer display; screener function bb2_insert_head() { global $bb2_timer_total; global $bb2_javascript; echo "\n<!-- Bad Behavior " . BB2_VERSION . " run time: " . number_format(1000 * $bb2_timer_total, 3) . " ms -->\n"; echo $bb2_javascript; } function bb2_approved_callback($settings, $package) { global $bb2_package; // Save package for possible later use $bb2_package = $package; } // Capture missed spam and log it function bb2_capture_spam($id, $comment) { global $bb2_package; // Capture only spam if ('spam' != $comment->comment_approved) return; // Don't capture if HTTP request no longer active if (array_key_exists("request_entity", $bb2_package) && array_key_exists("author", $bb2_package['request_entity']) && $bb2_package['request_entity']['author'] == $comment->comment_author) { bb2_db_query(bb2_insert(bb2_read_settings(), $bb2_package, "00000000")); } } // Display stats? function bb2_insert_stats($force = false) { global $bb2_result; $settings = bb2_read_settings(); if ($force || $settings['display_stats']) { $blocked = bb2_db_query("SELECT COUNT(*) FROM " . $settings['log_table'] . " WHERE `key` NOT LIKE '00000000'"); if ($blocked !== FALSE) { echo sprintf('<p><a href="http://www.bad-behavior.ioerror.us/">%1$s</a> %2$s <strong>%3$s</strong> %4$s</p>', __('Bad Behavior'), __('has blocked'), $blocked[0]["COUNT(*)"], __('access attempts in the last 7 days.')); } } if (@!empty($bb2_result)) { echo sprintf("\n<!-- Bad Behavior result was %s! This request would have been blocked. -->\n", $bb2_result); unset($bb2_result); } } // Return the top-level relative path of wherever we are (for cookies) function bb2_relative_path() { $url = parse_url(get_bloginfo('url')); if (array_key_exists('path', $url)) { return $url['path'] . '/'; } return '/'; } // FIXME: figure out what's wrong on 2.0 that this doesn't work // register_activation_hook(__FILE__, 'bb2_install'); //add_action('activate_bb2/bad-behavior-wordpress.php', 'bb2_install'); add_action('wp_head', 'bb2_insert_head'); add_action('wp_footer', 'bb2_insert_stats'); add_action('wp_insert_comment', 'bb2_capture_spam', 99, 2); // Calls inward to Bad Behavor itself. require_once(BB2_CWD . "/bad-behavior/core.inc.php"); bb2_install(); // FIXME: see above if (is_admin() || strstr($_SERVER['PHP_SELF'], 'wp-admin/')) { // 1.5 kludge #wp_enqueue_script("admin-forms"); require_once(BB2_CWD . "/bad-behavior-wordpress-admin.php"); } $bb2_result = bb2_start(bb2_read_settings()); $bb2_mtime = explode(" ", microtime()); $bb2_timer_stop = $bb2_mtime[1] + $bb2_mtime[0]; $bb2_timer_total = $bb2_timer_stop - $bb2_timer_start; Thanks in advance!
  14. Thanks for taking a look at it I know what you mean, there's something about it I don't love either. It looks a bit cold at the moment but It should look a little more lively when I start to showcase the student work more. I wanted to make it easy to find the important info first, next step is to decorate a bit more. The iPad background is to promote the fact that we are starting to teach using iPads too. Part of me likes it, but part feels a little cheezy, haha.
  15. Here is a site I made for the Learning Center I do IT for. My goal was an interactive and responsive feel. Still to add some more media like pics and such, but it's the V1.0. The client is able to add new 'curriculums' and such through the admin gui by only typing a short description, and adding an icon image. http://www.i-workshop.com.cn/
  16. I ran and decided to just host it on my own~ got them to point the A Records to my cloud server and spent the evening figuring out how to make virtualhosts
  17. Thanks alot for your help guys. I added json support by mashing up two solutions from: http://www.epigroove.com/posts/97/how_to_use_json_in_php_4_or_php_51x http://techblog.willshouse.com/2009/06/12/using-json_encode-and-json_decode-in-php4/ Where from the first link, I got the nice script which I could place inside the ../core/Functions.php: if (!function_exists('json_decode')) { function json_decode($content, $assoc=false) { require_once 'classes/JSON.php'; if ($assoc) { $json = new Services_JSON(SERVICES_JSON_LOOSE_TYPE); } else { $json = new Services_JSON; } return $json->decode($content); } } if (!function_exists('json_encode')) { function json_encode($content) { require_once 'classes/JSON.php'; $json = new Services_JSON; return $json->encode($content); } } just changing the 'require_once' to point at the JSON.php which I got from a link within the second solution(this way I didn't have to install pear, which I was unsuccessful doing): http://mike.teczno.com/JSON/JSON.phps I renamed JSON.phps to JSON.php ... so the json errors no longer appeared. HOWEVER, Since the host only uses php 5.19, I got many other errors. After Complaining to my 'web host', they just said they aren't responsible for third party software support. They will move me to another server which uses php 5.2.3, so hopefully things work out for that~ even though pw's requirement says 5.2.4 cross fingers~
  18. My client got their web hosting from a terrible company who poses as IT consultants but really just act as middle men, reselling the cheap web hosting they purchase from a legitimate company... it is VERY frustrating. Anyways, my site won't load and gives the errors that it can't find the json_decode() function. I tried installing a fresh PW, and the checks gave the errors that json support and the php was slightly outdated. but in the end it installed, but got errors on load. same as when I load my pages. So, is there a way to hack pw so that it doesn't require json support? I tried asking the "IT Consultants" to install json, but they wouldn't. I even gave them the list of command that would do it for them. They obviously don't even have root access to their servers. so lame.
  19. New tagging system using auto complete page field. Abusing it like crazy! Thanks apeisa for the direction! Now I just have to figure out a good way to count how many pages are using each tag so I can make the more frequent tags larger.
  20. Thanks guys, it makes a lot more sense now
  21. Right, with dynamic user requests that would be a bad idea. I was talking about my amature usage where I have content loaded in the background via ajax to help out with page loading and transition times. I know they have nothing to do with each other, but I just thought the end results can be kind of compared. They both seem to return the output from the template for a given page (ajax via the page url, and render() via the $wirepage). Forgive me, It wasn't untill I read this thread when I reallized how render() works~
  22. Hi Andrew, nice work. I'm sure your client likes being able to editing things (you must must like it too). I'm curious about your "login" link in the bottom right corner. I like how it opens an overlay for them to login instead of the processwire page. Did you just style the login page to look like that? does it log the user into the pw admin interface? or did you create a custom admin section? very cool stuff!
  23. Hey thanks Zach! It's nice to get some positive feedback about those category trees... sometimes I wonder if tags would be a better choice. But I find it nice to have all the logs related to a certain topic or project in the same place, and in the same order as it helps me track down what I've done in the past with something. I am thinking of adding general tag function in addition to the category trees in which i could tag pretty much any page (because I really like some of those slick Tag Clouds out there). It could be easy to implement, but harder if I want it more polished with those those tag input sections which auto populate the tags as I type. Maybe it could become a plugin or something. as for PW logs, I figured the processwire site has pretty good documentation already and I will start those PW logs when I do more complex things like bootstrapping pw and creating more app style things that utilize the $user capabilities of pw Thanks again to all those who took the time to check out my page and leave feedback
  24. I feel like the list of permissions in the Access>Permissions section isn't exhaustive. There is an 'Add Permission' option, but I don't have a clue as to what I can add in there as it's just a text field. Is there a list of acceptable permissions somewhere? or a guide on how to use this feature? Thanks,
  • Create New...