Search the Community

Showing results for tags 'security'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Welcome to ProcessWire
    • News & Announcements
    • Showcase
    • Wishlist & Roadmap
  • Community Support
    • Getting Started
    • Tutorials
    • FAQs
    • General Support
    • API & Templates
    • Modules/Plugins
    • Themes and Profiles
    • Multi-Language Support
    • Security
    • Jobs
  • Off Topic
    • Pub
    • Dev Talk

Product Groups

  • ProDrafts
  • ListerPro
  • ProFields
  • ProCache
  • Form Builder
  • Likes
  • ProDevTools
  • Custom Development

Categories

There are no results to display.


Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Skype


Location


Interests

Found 29 results

  1. I've been working with ProcessWire for a while now, and I've noticed that using Composer to manage dependencies and autoload external libraries isn't as prevalent in ProcessWire development as in other areas of PHP programming. I started out by using the default setup recommend in this blogpost. However, one major problem I have with this approach is that all external dependencies live in the webroot (the directory the server points to), which is unfavourable from a security standpoint and, in my opinion, just feels a bit messy. In this tutorial, I want to go through a quick setup of Composer and ProcessWire that keeps the dependencies, all custom-written code and other source material outside of the webroot, and makes full usage of the Composer autoloader. This setup is pretty basic, so this tutorial is probably more useful to beginners (this is why I'll also include some general information on Composer), but hopefully everyone can take something away from this for their personal workflow. Site structure after setup This is what the directory structure can look like after the setup: . ├── composer.json ├── composer.lock ├── node_modules │ └── ... ├── public │ ├── index.php │ ├── site │ ├── wire │ └── ... ├── packacke-lock.json ├── package.json ├── sass │ ├── main.scss │ ├── _variables.scss │ └── ... ├── src │ ├── ContentBag.php │ └── ... └── vendor ├── autoload.php ├── composer ├── league ├── symfony └── ... As mentioned, the main point of this setup is to keep all external libraries, all other custom source code and resources out of the webroot. That includes Composer's vendor folder, your node_modules and JavaScript source folder if you are compiling JavaScript with webpack or something similar and including external scripts via NPM, or your CSS preprocessor files if you are using SASS or LESS. In this setup, the public directory acts as the webroot (the directory that is used as the entry point by the server, DocumentRoot in the Apache configuration). So all other files and directories in the mysite folder aren't accessible over the web, even if something goes wrong. One caveat of this setup is that it's not possible to install ProcessWire modules through Composer using the PW Module Installer (see Blogpost above), but that's just a minor inconvenience in my experience. Installation You'll need to have composer installed on your system for this. Installation guides can be found on getcomposer.org. First, open up your shell and navigate to the mysite folder. $ cd /path/to/mysite/ Now, we'll initialize a new Composer project: $ composer init The CLI will ask some questions about your projects. Some hints if you are unsure how to answer the prompts: Package names are in the format <vendor>/<project>, where vendor is your developer handle. I use my Github account, so I'll put moritzlost/mysite (all lowercase). Project type is project if you are creating a website. Author should be in the format Name <email>. Minimum Stability: I prefer stable, this way you only get stable versions of dependencies. License will be proprietary unless you plan on sharing your code under a FOSS license. Answer no to the interactive dependencies prompts. This creates the composer.json file, which will be used to keep track of your dependencies. For now, you only need to run the composer install command to initialize the vendor directory and the autoloader: $ composer install Now it's time to download and install ProcessWire into the public directory: $ git clone https://github.com/processwire/processwire public If you don't use git, you can also download ProcessWire manually. I like to clean up the directory after that: $ cd public $ rm -r .git .gitattributes .gitignore CONTRIBUTING.md LICENSE.TXT README.md Now, setup your development server to point to the /path/to/mysite/public/ directory (mind the public/ at the end!) and install ProcessWire normally. Including & using the autoloader With ProcessWire installed, we need to include the composer autoloader. If you check ProcessWire's index.php file, you'll see that it tries to include the autoloader if present. However, this assumes the vendor folder is inside the webroot, so it won't work in our case. One good place to include the autoloader is using a site hook file. We need the autoloader as early as possible, so we'll use init.php: // public/site/init.php <?php namespace Processwire; require '../../vendor/autoload.php'; This has one caveat: Since this file is executed by ProcessWire after all modules had their init methods called, the autoloader will not be available in those. I haven't come across a case where I needed it this early so far; however, if you really need to include the autoloader earlier than that, you could just edit the lines in the index.php file linked above to include the correct autoloader path. In this case, make sure not to overwrite this when you update the core! Now we can finally include external libraries and use them in our code without hassle! I'll give you an example. For one project, I needed to parse URLs and check some properties of the path, host et c. I could use parse_url, however that has a couple of downsides (specifically, it doesn't throw exceptions, but just fails silently). Since I didn't want to write a huge error-prone regex myself, I looked for a package that would help me out. I decided to use this URI parser, since it's included in the PHP League directory, which generally stands for high quality. First, install the dependency (from the project root, the folder your composer.json file lives in): $ composer require league/uri-parser This will download the package into your vendor directory and refresh the autoloader. Now you can just use the package in your own code, and composer will autoload the required class files: // public/site/templates/basic-page.php <?php namespace Processwire; use \League\Uri\Parser; // ... if ($url = $page->get('url')) { $parser = new Parser(); $parsed_url = $parser->parse($url); // do stuff with $parsed_url ... } Wiring up custom classes and code Another topic that I find really useful but often gets overlooked in Composer tutorials is the ability to wire up your own namespace to a folder. So if you want to write some object-oriented code outside of your template files, this gives you an easy way to autoload those using Composer as well. If you look at the tree above, you'll see there's a src/ directory inside the project root, and a ContentBag.php file inside. I want to connect classes in this directory with a custom namespace to be able to have them autoloaded when I use them in my templates. To do this, you need to edit your composer.json file: { "name": "moritzlost/mysite", "type": "project", "license": "proprietary", "authors": [ { "name": "Moritz L'Hoest", "email": "info@herebedragons.world" } ], "minimum-stability": "stable", "require": {}, "autoload": { "psr-4": { "MoritzLost\\MySite\\": "src/" } } } Most of this stuff was added during initialization, for now take note of the autoload information. The syntax is a bit tricky, since you have to escape the namespace seperator (backslash) with another backslash (see the documentation for more information). Also note the PSR-4 key, since that's the standard I use to namespace my classes. The line "MoritzLost\\MySite\\": "src/" tells Composer to look for classes under the namespace \MoritzLost\MySite\ in the src/ directory in my project root. After adding the autoload information, you have to tell composer to refresh the autoloader information: $ composer dump-autoload Now I'm ready to use my classes in my templates. So, if I have this file: // src/ContentBag.php <?php namespace MoritzLost\MySite; class ContentBag { // class stuff } I can now use the ContentBag class freely in my templates without having to include those files manually: // public/site/templates/home.php <?php namespace Processwire; use MoritzLost\MySite\ContentBag; $contentbag = new ContentBag(); // do stuff with contentbag ... Awesome! By the way, in PSR-4, sub-namespaces correspond to folders, so I can put the class MoritzLost\MySite\Stuff\SomeStuff in src/Stuff/SomeStuff.php and it will get autoloaded as well. If you have a lot of classes, you can group them this way. Conclusion With this setup, you are following secure practices and have much flexibility over what you want to include in your project. For example, you can just as well initialize a JavaScript project by typing npm init in the project root. You can also start tracking the source code of your project inside your src/ directory independently of the ProcessWire installation. All in all, you have good seperation of concerns between ProcessWire, external dependencies, your templates and your OOP-code, as well as another level of security should your Server or CGI-handler ever go AWOL. You can also build upon this approach. For example, it's good practice to keep credentials for your database outside the webroot. So you could modify the public/site/config.php file to include a config or .env file in your project root and read the database credentials from there. Anyway, that's the setup I came up with. I'm sure it's not perfect yet; also this tutorial is probably missing some information or isn't detailed enough in some areas depending on your level of experience. Feel free to ask for clarification, and to point out the things I got wrong. I like to learn as well Thanks for making it all the way to the bottom. Cheers!
  2. flydev

    Presentation Originaly developped by Jeff Starr, Blackhole is a security plugin which trap bad bots, crawlers and spiders in a virtual black hole. Once the bots (or any virtual user!) visit the black hole page, they are blocked and denied access for your entire site. This helps to keep nonsense spammers, scrapers, scanners, and other malicious hacking tools away from your site, so you can save precious server resources and bandwith for your good visitors. How It Works You add a rule to your robots.txt that instructs bots to stay away. Good bots will obey the rule, but bad bots will ignore it and follow the link... right into the black hole trap. Once trapped, bad bots are blocked and denied access to your entire site. The main benefits of Blackhole include: Bots have one chance to obey your site’s robots.txt rules. Failure to comply results in immediate banishment. Features Disable Blackhole for logged in users Optionally redirect all logged-in users Send alert email message Customize email message Choose a custom warning message for bad bots Show a WHOIS Lookup informations Choose a custom blocked message for bad bots Choose a custom HTTP Status Code for blocked bots Choose which bots are whitelisted or not Instructions Install the module Create a new page and assign to this page the template "blackhole" Create a new template file "blackhole.php" and call the module $modules->get('Blackhole')->blackhole(); Add the rule to your robot.txt Call the module from your home.php template $modules->get('Blackhole')->blackhole(); Bye bye bad bots! Downloads https://github.com/flydev-fr/Blackhole http://modules.processwire.com/modules/blackhole/ Screen Enjoy
  3. Greetings. I would like to restrict access to certain sections of my organization's ProcessWire site using pubcookie. We are rolling out Shibboleth authentication later this year but for now, it seems I can only make use of our institution's single sign-on routine by utilizing rules in an .htaccess file. I am wondering if there is a way to ask PW to apply these rules to certain pages in the site, whether via template type or location in the page tree: AuthType UWNetID PubcookieAppID "MyApplication" require type staff faculty
  4. Hi all, Apologies if this has been asked in the past. We have a test site setup and running on HTTPS with redirect from HTTP. The site is protected from DDoS and arbitrary malicious attack by CloudFlare. From what I can see the administrative login page is still vulnerable to dictionary attacks. Clearly disabling the admin account and the use of strong passwords are two methods to minimise the success of such attacks. Questions: 1. Is it possible to rename the /processwire URL? 2. Is there any two factor support out there? I've checked out Duo and Okta, however PW is not supported? 3. Is there anyway to add CAPTCHA or second factor security questions to the login process? 4. Is there any form of anti-hammer available? For example, repeated failed login attempts from the same source are blocked for a period of time after a finite number of failures? Any other suggestions gratefully appreciated.
  5. The 2018 Guide to Building Secure PHP Software
  6. HELLO! Anyone ever used Authy.com or Google authenticator on they processwire projects?
  7. Hi, I'm new to PW and like it a lot so far. With most WordPress and Drupal websites there are frequent updates to core & plugins, some of these are security released so I tend to install any updates ASAP. When supporting many websites this update fatigue is pretty tiresome. What is your update strategy when maintaining PW sites? Would be interested to hear if you think it is valid to perhaps do a quarterly update or perhaps only even update yearly if there are no security announcements? Also just to clarify, if there a security mailing list we should subscribe to just in case an urgent fix is ever released? Thanks!
  8. benbyf

    Hi, I posted a question on Stack and as yet not got an anwser that is something novel. I'm interested to know if this worries anyone else and whether we can do something about it. So here goes: If a user logins to your online sevice, let's say a job posting site, they give you an email and password to access your service later... Lets say a malicous person with access to the server could write into the template to store the passwords as plain text somewhere. Given that people generally don't use a new password for each website, now that malicious person has the potential to access other online services using these details (where there isn't any secondly security like 2-factor). Is there anything we can do to battle this? In an ideal world, maybe setting up a zero-knowledge algorithm to log people in and out... https://security.stackexchange.com/questions/155806/what-to-do-about-compremised-passwords-through-malicious-sites-or-site-hacks/155823#155823 food for thought
  9. Hey guys, I'm building a module to keep a user logged in until manual logout. I know about Login Persist, but this one stopped working for me a while ago and it might not even be compatible with pw3 (haven't tested this) as it's not being updated for 3 years Anyways, the module works, and now I want to secure user edit screens namely ProcessPageEdit (any user template, as there might be multiple) and ProcessProfile by requiring the current password.. I know how to add the additional input (added by hooking into ProcessProfile::execute and ProcessPageEdit::buildForm or Page::render) but I don't know how to intercept the saving and canceling the save if password doesn't match I thought about emptying $input->post (don't even know if this works?) if not valid but would be nice not to loose the changed data but instead just notify user about a wrong password.. would love to get some thoughts and input on this
  10. Hi all guys! I've a BIG problem here and hope you can help me to solve it. Suddenly yesterday my PW installation stopped letting me to log in. I can access the front-end, but each time i try to log into the back-end it gives me "This request was aborted because it appears to be forged." I already have searched into the forum and tried every possible solution, without any result In order: site/config.php is readable site/assets/{cache,logs,sessions} is present and 0755 (and setting them to 0777 doesn't make any difference) tried to backup site/assets/sessions directory and make another new empty one nothing is changed with user:group permissions setting $protectCSRF, $sessionChallenge, and $sessionFingerprint to false the error disappears but the login page still remains making the sessions table empty doesn't make any difference enabled/disabled the www. redirection in .htaccess, just in case but nothing enabled $debug and no error removed cookies restarted the server Anybody has an idea?
  11. GKrabach

    For an inherited site, I have a section in the ProcessWire admin section with Tools and Settings as children. Unfortunately, I don't have access to these, even as admin. I know this is controlled in the database, but I don't see any way to change the permissions. Through some research, looks like you can adjust that through Setup > Templates > Edit Template > Access , however "Templates" doesn't show up under Setup either. Any advice is appreciated.
  12. Hi, I Just notice, when i disable X-Powered-by header, it remain the header with blank value, why is that, i did couple of test, run with header check tools, and all the tools i test show me X-Powered-By header with blank value, chrome also shows me that way, but firefox remove it if it doesn't have value for it..
  13. Studio TOMIS

    I'm working on a website for a client using Processwire. The client had some questions concerning security that i'm not able to answer so i hope you guys can help me out. In general I was wondering if there are any logs about bug fixes and security updates. Has Processwire ever been hacked? And how will the security be guaranteed in the future? Since the platform is growing I might imagine so will the amount of attacks. For instance one thing I noticed that the .HTACCES file changed between 2.7 and 2.6 was this because of security leaks or because of other reasons.
  14. Hello, Here is a security related feature request. I am having more and more use of $page->id as a GET or POST parameter, for various workflows in frontend site. Processwire itself is making use of it at some places related to frontend, eg. for comments submission workflow. My problem is : This is an absolute AND predictable value : from 0 to N. So, when used for submission by the users, it allows a malicious user to forge requests in order to perform a FULL crawling of the website pages. Even pages that are otherwise not accessible by following the website links. Of course, Processwire access permissions apply ; but then, any site-specific permission weakness will result in information disclosure. Overall, this is not very satisfying. What would be best, instead, is the ability to make use of an absolute AND NOT predictable value : a $page->encodedId (build with something like http://hashids.org/php/) Along with a commodity method getDecodedId(), for retreiving the associated $page->id. Fact is, I am doing something similar to this in the templates which need it. And, for easier usage, I plan to generalize this to all templates, with some coding which implies hooks on template creation & on page creation, for automatically adding a $page->encodedId field at each template creation + automatically populating its value at each page creation/cloning. But before I go into this, I would like to submit this feature request : I would rather have this in Processwire core Processwire itself would directly benefit from this feature (see comments submission workflow, for instance). I hope it makes sense for someone else than me cheers
  15. Hello! I'm quite new to Processwire. Currently I'm selling my first Processwire based site to a customer. She is thrown out of the admin interface often. The session logs,which are attached, are showing that her IP changes to 0.0.0.0 periodically. She is using Mac OS X Lion with the bundled Safari. How can I work out the issue? Thanks for your help laufi
  16. kixe

    Since I am logging 404 requests I recognize very often requests searching for potential security gaps (mostly targeting at other CMSs like wordpress). I am not a specialist in this complex theme. Beside the security docs: https://processwire.com/docs/security/ I would like to have a subforum 'security' where tried or real attacks, potential lack of security, prevention etc. could be discussed.
  17. Hi I am currently experimenting with Google Polymer / Web Components, which relies on html-imports. I noticed that Processwire's .htaccess blocks access to .html files in the template folder. # Block access to any PHP or markup files in /site/templates/ RewriteCond %{REQUEST_URI} (^|/)(site|site-[^/]+)/templates($|/|/.*\.(php|html?|tpl|inc))$ [OR] Is it safe to reallow access to .html-files in "/templates"? Or maybe just to a specific subfolder, like "templates/html-imports/*.html"?
  18. Vayu Robins

    Hi. I am no PHP expert and have mostly done WordPress development during the last many years, so I am more used to the WordPress codebase than anything else. I have learned that it is good practice to escape your output with different WordPress functions, such as esc_attr, esc_url, esc_html etc. There is a list of functions here: https://codex.wordpress.org/Data_Validation Here is an example, taken from this tutorial: http://code.tutsplus.com/tutorials/data-sanitization-and-validation-with-wordpress--wp-25536 <h1> <?php echo esc_html($title); ?> </h1> I am aware that there are some sanitation functions in ProcessWire, but I have not seen any for this kind of output. Nor have I found any articles/posts about this kind of practice for ProcessWire. The $sanitizer seems to be more specific used for form input data. However, I assume that this is something one should consider in any PHP environment and not only in WordPress? Am I right? I am simply posting this question here, because I am a bit unsure and would love to here what other PHP developers here think about this and what is best to do in the ProcessWire environment. Looking forward to any feedback or input on this subject.
  19. Vineet Sawant

    Hello, I've created an enterprise management system with ProcessWire where employees login to system and perform various tasks, such as creating invoices, adding client information, creating/answering support tickets etc. Client is very much concerned about the data security and data alteration by unauthorized person. So I've been asked to make sure the system is very secure and there's no way to alter or leak the company information anyway. While I'm already doing the required validation & making sure the user is authorized by making them login into system, whatelse should I be consider to make the system more safer? Just wanted to have better understanding of ProcessWire's security mechanism & how to make it better. Thanks everyone.
  20. Macrura

    I have a client who is a record label and they need to have some pages for promoting albums, where there can be a password they give to a reviewer, so the reviewer can go to the URL, type in the password, and be able to view the content (which will be streaming audio and downloads of the album in question). i have found some simple ways online to do this with PHp, but i'm wondering if there is a better/simple way to interact with PW session to achieve this. The client doesn't want to have to add roles/users or deal with permissions...they just want to have an input field where they can put in the password for that album... TIA, Marc
  21. aren

    Hi guys, I have a few questions regarding a few common practices when dealing with CMSes: 1- How can I install ProcessWire above the root for better security? 2- How can I change the default folder for uploading images? For example, I'd like to create a folder /uploads in the root and have all my uploaded images in there. And can I have multiple folders or just one folder for all images? 3- Is it possible to have site assets (css, js etc) stored in a folder /assets in the root? If you have other common practices or security tips etc and you'd like to share, please do.
  22. This post is like these two but I've not been able to fix my problem reading those threads (perhaps partly because I don't fully understand some of the exchanges as they skip past things I am not familiar with). With debug turned on, when I try to login I am getting (domain and password substituted out): TEMPLATEFILE : UNABLE TO GENERATE PASSWORD HASH #0 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/CORE/PASSWORD.PHP(33): PASSWORD->HASH('MY-PASSWORD') #1 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/CORE/SESSION.PHP(310): PASSWORD->MATCHES('MY-PASSWORD') #2 [INTERNAL FUNCTION]: SESSION->___AUTHENTICATE(OBJECT(USER), 'MY-PASSWORD') #3 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/CORE/WIRE.PHP(271): CALL_USER_FUNC_ARRAY(ARRAY, ARRAY) #4 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/CORE/WIRE.PHP(229): WIRE->RUNHOOKS('AUTHENTICATE', ARRAY) #5 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/CORE/SESSION.PHP(262): WIRE->__CALL('AUTHENTICATE', ARRAY) #6 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/CORE/SESSION.PHP(262): SESSION->AUTHENTICATE(OBJECT(USER), 'MY-PASSWORD') #7 [INTERNAL FUNCTION]: SESSION->___LOGIN('ADMIN', 'MY-PASSWORD') #8 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/CORE/WIRE.PHP(271): CALL_USER_FUNC_ARRAY(ARRAY, ARRAY) #9 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/CORE/WIRE.PHP(229): WIRE->RUNHOOKS('LOGIN', ARRAY) #10 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/MODULES/PROCESS/PROCESSLOGIN/PROCESSLOGIN.MODULE(77): WIRE->__CALL('LOGIN', ARRAY) #11 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/MODULES/PROCESS/PROCESSLOGIN/PROCESSLOGIN.MODULE(77): SESSION->LOGIN('ADMIN', 'MY-PASSWORD') #12 [INTERNAL FUNCTION]: PROCESSLOGIN->___EXECUTE() #13 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/CORE/WIRE.PHP(271): CALL_USER_FUNC_ARRAY(ARRAY, ARRAY) #14 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/CORE/WIRE.PHP(229): WIRE->RUNHOOKS('EXECUTE', ARRAY) #15 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/CORE/PROCESSCONTROLLER.PHP(194): WIRE->__CALL('EXECUTE', ARRAY) #16 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/CORE/PROCESSCONTROLLER.PHP(194): PROCESSLOGIN->EXECUTE() #17 [INTERNAL FUNCTION]: PROCESSCONTROLLER->___EXECUTE() #18 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/CORE/WIRE.PHP(271): CALL_USER_FUNC_ARRAY(ARRAY, ARRAY) #19 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/CORE/WIRE.PHP(229): WIRE->RUNHOOKS('EXECUTE', ARRAY) #20 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/CORE/ADMIN.PHP(45): WIRE->__CALL('EXECUTE', ARRAY) #21 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/CORE/ADMIN.PHP(45): PROCESSCONTROLLER->EXECUTE() #22 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/SITE/TEMPLATES-ADMIN/CONTROLLER.PHP(13): REQUIRE('/VAR/WWW/VHOSTS...') #23 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/SITE/TEMPLATES/ADMIN.PHP(13): REQUIRE('/VAR/WWW/VHOSTS...') #24 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/CORE/TEMPLATEFILE.PHP(125): REQUIRE('/VAR/WWW/VHOSTS...') #25 [INTERNAL FUNCTION]: TEMPLATEFILE->___RENDER() #26 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/CORE/WIRE.PHP(271): CALL_USER_FUNC_ARRAY(ARRAY, ARRAY) #27 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/CORE/WIRE.PHP(229): WIRE->RUNHOOKS('RENDER', ARRAY) #28 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/MODULES/PAGERENDER.MODULE(250): WIRE->__CALL('RENDER', ARRAY) #29 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/MODULES/PAGERENDER.MODULE(250): TEMPLATEFILE->RENDER() #30 [INTERNAL FUNCTION]: PAGERENDER->___RENDERPAGE(OBJECT(HOOKEVENT)) #31 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/CORE/WIRE.PHP(271): CALL_USER_FUNC_ARRAY(ARRAY, ARRAY) #32 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/CORE/WIRE.PHP(229): WIRE->RUNHOOKS('RENDERPAGE', ARRAY) #33 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/CORE/WIRE.PHP(293): WIRE->__CALL('RENDERPAGE', ARRAY) #34 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/CORE/WIRE.PHP(293): PAGERENDER->RENDERPAGE(OBJECT(HOOKEVENT)) #35 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/CORE/WIRE.PHP(229): WIRE->RUNHOOKS('RENDER', ARRAY) #36 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/MODULES/PROCESS/PROCESSPAGEVIEW.MODULE(97): WIRE->__CALL('RENDER', ARRAY) #37 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/MODULES/PROCESS/PROCESSPAGEVIEW.MODULE(97): PAGE->RENDER() #38 [INTERNAL FUNCTION]: PROCESSPAGEVIEW->___EXECUTE() #39 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/CORE/WIRE.PHP(271): CALL_USER_FUNC_ARRAY(ARRAY, ARRAY) #40 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/WIRE/CORE/WIRE.PHP(229): WIRE->RUNHOOKS('EXECUTE', ARRAY) #41 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/INDEX.PHP(192): WIRE->__CALL('EXECUTE', ARRAY) #42 /VAR/WWW/VHOSTS/EXAMPLE.COM/HTTPDOCS/INDEX.PHP(192): PROCESSPAGEVIEW->EXECUTE() #43 {MAIN} So far I have: replaced /wire/ with a fresh 2.3 copy set /site/assets/cache/ plus all contents to 777 set /site/assets/sessions/ plus all contents to 777 installed a copy of PW 2.3 in a sub-domain and checked it can login OK (server environment check) and all OK I am able to update the site by updating locally and then export/importing the database. I would be grateful for any suggestions as to how I can solve this, thanks in advance for comments!
  23. I am stuck. Seven days ago, something changed such that when users try to upload images to my PW site, the images are posted to the page, but they show up as zero bytes. The folder is created in the files folder, the image name is recorded, the type of file is recorded, but the byte size is zero. When I looked into the problem this morning, I received the "This request was aborted because it appears to be forged." message whenever I tried to upload images. Turning off protectCSRF in the config file suppresses the aborted image message and now I just get the zero-byte image bug, but I don't know why. I've checked permissions on the files directory, changed it recursively to 777 and then back to 755 with no change. I checked that I have active sessions, logs, and cache folders. I checked on the permissions of the config.php file. I changed the sessionName, and turned off the challenge and fingerprint functions but nothing is budging. I installed a new PW site yesterday and so I keep thinking something is colliding but it looks like the images have been failing to write to the files directory for the last week. I'm getting the same results in multiple browsers after any number of cache-clears so I don't think it is client-side. This is a look at the PHPinfo for the site. Best wishes, J
  24. Some interesting reads for those interested in security: Well it should be mandatory for every webdev to know these thing or at least care about. Hack yourself first - how to go on the offence before online attackers do http://www.troyhunt.com/2013/05/hack-yourself-first-how-to-go-on.html Feel free to discuss or post other articles about the subject.
  25. Hello all, Once again, just want to comment on how good I truly believe PW to be. I do have a few questions about security though - more specifically about the systems way of handling XSS. I've not really found anything on PW's security practices and exploit prevention precautions. Is page content filtered client side on submit? I noticed disabling javascript on the admin pages meant that script tags could make it thorough. What is the practice for cleaning harmful code on output? I've noticed there's a sanitizer API. Is there a way to enable the sanitizer for all fields by default, so I don't have to keep calling it in the templates for every field? Is it safe to assume that input on fields are automatically escaped to prevent SQL injection? Are admin functions protected from CSRF attacks? I am aware of the HTMLPurifer plugin but this appears to be an optional plugin. Finally, a quick question about performance. I've enabled debugging and found that there are 47 queries running on an (admin) page load. Is this going to cause problems for upwards scaling in the future? If these questions have been answered elsewhere, please point in the direction of the answers. Cheers and thanks again. Edit: I can't find any reference of XSS cleaning functionality at all. Not even the sanitizer seems to have this functionality. Is everything really done on the client by TinyMCE? Looks like the sanitizer class does indeed have some cleaning functionality.