Jump to content

Search the Community

Showing results for tags 'security'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Welcome to ProcessWire
    • News & Announcements
    • Showcase
    • Wishlist & Roadmap
  • Community Support
    • Getting Started
    • Tutorials
    • FAQs
    • General Support
    • API & Templates
    • Modules/Plugins
    • Themes and Profiles
    • Multi-Language Support
    • Security
    • Jobs
  • Off Topic
    • Pub
    • Dev Talk

Product Groups

  • Form Builder
  • ProFields
  • ProCache
  • ProMailer
  • Login Register Pro
  • ProDrafts
  • ListerPro
  • ProDevTools
  • Likes
  • Custom Development

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Skype


Location


Interests

  1. Hi. I am no PHP expert and have mostly done WordPress development during the last many years, so I am more used to the WordPress codebase than anything else. I have learned that it is good practice to escape your output with different WordPress functions, such as esc_attr, esc_url, esc_html etc. There is a list of functions here: https://codex.wordpress.org/Data_Validation Here is an example, taken from this tutorial: http://code.tutsplus.com/tutorials/data-sanitization-and-validation-with-wordpress--wp-25536 <h1> <?php echo esc_html($title); ?> </h1> I am aware that there are some sanitation functions in ProcessWire, but I have not seen any for this kind of output. Nor have I found any articles/posts about this kind of practice for ProcessWire. The $sanitizer seems to be more specific used for form input data. However, I assume that this is something one should consider in any PHP environment and not only in WordPress? Am I right? I am simply posting this question here, because I am a bit unsure and would love to here what other PHP developers here think about this and what is best to do in the ProcessWire environment. Looking forward to any feedback or input on this subject.
  2. Hello, I've created an enterprise management system with ProcessWire where employees login to system and perform various tasks, such as creating invoices, adding client information, creating/answering support tickets etc. Client is very much concerned about the data security and data alteration by unauthorized person. So I've been asked to make sure the system is very secure and there's no way to alter or leak the company information anyway. While I'm already doing the required validation & making sure the user is authorized by making them login into system, whatelse should I be consider to make the system more safer? Just wanted to have better understanding of ProcessWire's security mechanism & how to make it better. Thanks everyone.
  3. I have a client who is a record label and they need to have some pages for promoting albums, where there can be a password they give to a reviewer, so the reviewer can go to the URL, type in the password, and be able to view the content (which will be streaming audio and downloads of the album in question). i have found some simple ways online to do this with PHp, but i'm wondering if there is a better/simple way to interact with PW session to achieve this. The client doesn't want to have to add roles/users or deal with permissions...they just want to have an input field where they can put in the password for that album... TIA, Marc
  4. Hi guys, I have a few questions regarding a few common practices when dealing with CMSes: 1- How can I install ProcessWire above the root for better security? 2- How can I change the default folder for uploading images? For example, I'd like to create a folder /uploads in the root and have all my uploaded images in there. And can I have multiple folders or just one folder for all images? 3- Is it possible to have site assets (css, js etc) stored in a folder /assets in the root? If you have other common practices or security tips etc and you'd like to share, please do.
  5. This post is like these two but I've not been able to fix my problem reading those threads (perhaps partly because I don't fully understand some of the exchanges as they skip past things I am not familiar with). With debug turned on, when I try to login I am getting (domain and password substituted out): TEMPLATEFILE : UNABLE TO GENERATE PASSWORD HASH #0 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/CORE/PASSWORD.PHP(33): PASSWORD->HASH('MY-PASSWORD') #1 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/CORE/SESSION.PHP(310): PASSWORD->MATCHES('MY-PASSWORD') #2 [INTERNAL FUNCTION]: SESSION->___AUTHENTICATE(OBJECT(USER), 'MY-PASSWORD') #3 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/CORE/WIRE.PHP(271): CALL_USER_FUNC_ARRAY(ARRAY, ARRAY) #4 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/CORE/WIRE.PHP(229): WIRE->RUNHOOKS('AUTHENTICATE', ARRAY) #5 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/CORE/SESSION.PHP(262): WIRE->__CALL('AUTHENTICATE', ARRAY) #6 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/CORE/SESSION.PHP(262): SESSION->AUTHENTICATE(OBJECT(USER), 'MY-PASSWORD') #7 [INTERNAL FUNCTION]: SESSION->___LOGIN('ADMIN', 'MY-PASSWORD') #8 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/CORE/WIRE.PHP(271): CALL_USER_FUNC_ARRAY(ARRAY, ARRAY) #9 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/CORE/WIRE.PHP(229): WIRE->RUNHOOKS('LOGIN', ARRAY) #10 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/MODULES/PROCESS/PROCESSLOGIN/PROCESSLOGIN.MODULE(77): WIRE->__CALL('LOGIN', ARRAY) #11 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/MODULES/PROCESS/PROCESSLOGIN/PROCESSLOGIN.MODULE(77): SESSION->LOGIN('ADMIN', 'MY-PASSWORD') #12 [INTERNAL FUNCTION]: PROCESSLOGIN->___EXECUTE() #13 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/CORE/WIRE.PHP(271): CALL_USER_FUNC_ARRAY(ARRAY, ARRAY) #14 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/CORE/WIRE.PHP(229): WIRE->RUNHOOKS('EXECUTE', ARRAY) #15 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/CORE/PROCESSCONTROLLER.PHP(194): WIRE->__CALL('EXECUTE', ARRAY) #16 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/CORE/PROCESSCONTROLLER.PHP(194): PROCESSLOGIN->EXECUTE() #17 [INTERNAL FUNCTION]: PROCESSCONTROLLER->___EXECUTE() #18 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/CORE/WIRE.PHP(271): CALL_USER_FUNC_ARRAY(ARRAY, ARRAY) #19 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/CORE/WIRE.PHP(229): WIRE->RUNHOOKS('EXECUTE', ARRAY) #20 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/CORE/ADMIN.PHP(45): WIRE->__CALL('EXECUTE', ARRAY) #21 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/CORE/ADMIN.PHP(45): PROCESSCONTROLLER->EXECUTE() #22 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/SITE/TEMPLATES-ADMIN/CONTROLLER.PHP(13): REQUIRE('/VAR/WWW/VHOSTS...') #23 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/SITE/TEMPLATES/ADMIN.PHP(13): REQUIRE('/VAR/WWW/VHOSTS...') #24 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/CORE/TEMPLATEFILE.PHP(125): REQUIRE('/VAR/WWW/VHOSTS...') #25 [INTERNAL FUNCTION]: TEMPLATEFILE->___RENDER() #26 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/CORE/WIRE.PHP(271): CALL_USER_FUNC_ARRAY(ARRAY, ARRAY) #27 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/CORE/WIRE.PHP(229): WIRE->RUNHOOKS('RENDER', ARRAY) #28 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/MODULES/PAGERENDER.MODULE(250): WIRE->__CALL('RENDER', ARRAY) #29 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/MODULES/PAGERENDER.MODULE(250): TEMPLATEFILE->RENDER() #30 [INTERNAL FUNCTION]: PAGERENDER->___RENDERPAGE(OBJECT(HOOKEVENT)) #31 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/CORE/WIRE.PHP(271): CALL_USER_FUNC_ARRAY(ARRAY, ARRAY) #32 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/CORE/WIRE.PHP(229): WIRE->RUNHOOKS('RENDERPAGE', ARRAY) #33 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/CORE/WIRE.PHP(293): WIRE->__CALL('RENDERPAGE', ARRAY) #34 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/CORE/WIRE.PHP(293): PAGERENDER->RENDERPAGE(OBJECT(HOOKEVENT)) #35 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/CORE/WIRE.PHP(229): WIRE->RUNHOOKS('RENDER', ARRAY) #36 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/MODULES/PROCESS/PROCESSPAGEVIEW.MODULE(97): WIRE->__CALL('RENDER', ARRAY) #37 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/MODULES/PROCESS/PROCESSPAGEVIEW.MODULE(97): PAGE->RENDER() #38 [INTERNAL FUNCTION]: PROCESSPAGEVIEW->___EXECUTE() #39 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/CORE/WIRE.PHP(271): CALL_USER_FUNC_ARRAY(ARRAY, ARRAY) #40 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/CORE/WIRE.PHP(229): WIRE->RUNHOOKS('EXECUTE', ARRAY) #41 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/INDEX.PHP(192): WIRE->__CALL('EXECUTE', ARRAY) #42 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/INDEX.PHP(192): PROCESSPAGEVIEW->EXECUTE() #43 {MAIN} So far I have: replaced /wire/ with a fresh 2.3 copy set /site/assets/cache/ plus all contents to 777 set /site/assets/sessions/ plus all contents to 777 installed a copy of PW 2.3 in a sub-domain and checked it can login OK (server environment check) and all OK I am able to update the site by updating locally and then export/importing the database. I would be grateful for any suggestions as to how I can solve this, thanks in advance for comments!
  6. I am stuck. Seven days ago, something changed such that when users try to upload images to my PW site, the images are posted to the page, but they show up as zero bytes. The folder is created in the files folder, the image name is recorded, the type of file is recorded, but the byte size is zero. When I looked into the problem this morning, I received the "This request was aborted because it appears to be forged." message whenever I tried to upload images. Turning off protectCSRF in the config file suppresses the aborted image message and now I just get the zero-byte image bug, but I don't know why. I've checked permissions on the files directory, changed it recursively to 777 and then back to 755 with no change. I checked that I have active sessions, logs, and cache folders. I checked on the permissions of the config.php file. I changed the sessionName, and turned off the challenge and fingerprint functions but nothing is budging. I installed a new PW site yesterday and so I keep thinking something is colliding but it looks like the images have been failing to write to the files directory for the last week. I'm getting the same results in multiple browsers after any number of cache-clears so I don't think it is client-side. This is a look at the PHPinfo for the site. Best wishes, J
  7. Some interesting reads for those interested in security: Well it should be mandatory for every webdev to know these thing or at least care about. Hack yourself first - how to go on the offence before online attackers do http://www.troyhunt.com/2013/05/hack-yourself-first-how-to-go-on.html Feel free to discuss or post other articles about the subject.
  8. Hello all, Once again, just want to comment on how good I truly believe PW to be. I do have a few questions about security though - more specifically about the systems way of handling XSS. I've not really found anything on PW's security practices and exploit prevention precautions. Is page content filtered client side on submit? I noticed disabling javascript on the admin pages meant that script tags could make it thorough. What is the practice for cleaning harmful code on output? I've noticed there's a sanitizer API. Is there a way to enable the sanitizer for all fields by default, so I don't have to keep calling it in the templates for every field? Is it safe to assume that input on fields are automatically escaped to prevent SQL injection? Are admin functions protected from CSRF attacks? I am aware of the HTMLPurifer plugin but this appears to be an optional plugin. Finally, a quick question about performance. I've enabled debugging and found that there are 47 queries running on an (admin) page load. Is this going to cause problems for upwards scaling in the future? If these questions have been answered elsewhere, please point in the direction of the answers. Cheers and thanks again. Edit: I can't find any reference of XSS cleaning functionality at all. Not even the sanitizer seems to have this functionality. Is everything really done on the client by TinyMCE? Looks like the sanitizer class does indeed have some cleaning functionality.
  9. Hey guys, I'm really new to Processwire, found it like two days ago but already love it I just had a look at the wire folder and came across the userAuthHashType in config.php. This is set to sha1 which is not too secure, it would be good to use a different hashing method. If I'm right version 2.4 (?) will make use of all these nice PHP 5.3+ features, as well as Composer. PHP 5.4 will fight bad password hashing providing a password_hash() function, until then it might be good to use the ircmaxell/password_compat library. What do you think?
  10. Hi, I have a project rebuilding a company website that does not have any CMS managing it at the moment. There is also the need for a separate site they refer to as an 'intranet' but it is more like a company resources website which is accessed by multiple interstate offices and also by sales staff on the move. This site contains files and info they would consider sensitive information. I am interested in using the multi-site feature of processwire to share some files across both sites. The resources website will have user login access, does anyone have any advice on additional security to protect the more sensitive company files? I have just started looking into VPN hosting for example, would this be necessary? Can I still use multi-site processwire if the company website does not require the VPN?
  11. Hey, My company asked me how Processwire handles SQL Injections, i was quite sure this was done somewhere but after some scanning through the code and the documentation. I noticed I couldn't really find an answer to the question. Because security is a big issue I would like to ask where and how processwire handles SQL injections? Big thanks! Greetings, Harm.
  12. Has anyone implemented a simple method of hiding the login to PW from Google bot and the average person clicking about a site? I want to allow clients to login but I assume from a security POV it's better to not have a link to, say, /processwire/ in the footer as doing so publishes to anyone what is underneath. I know I can (and do) change the URL from /processwire/ to /something-else/ which helps, but I just wondered if anyone had implemented something better or if in almost all cases this [change of URL] is probably perfectly adequate?
×
×
  • Create New...