Security risk?

Security risk?, a forum discussion on Jojo CMS. Join us for more discussions on Security risk? on our General Discussion forum.

Back to Forum Index : Back to General Discussion   RSS
ayoub

31 Jan 2011
Posts: 39

Hi guys,

I've noticed that when you put "index.php?" at the end of your domain, you get the install page when you get to choose the jojo base directory. I've checked even when I dont have masterpass in cache it still shows. Does this create any potential risk? Anyone can see where jojo base dir is installed(maybe i could treat that with ACLs).

Thank you for your consideration
Harvey

Core Developer

Harvey

31 Jan 2011
Posts: 327

This shouldn't happen once Jojo is actually installed, I'll need to do some testing to see if this is happening or not. Will patch asap if I find anything.
tom

Developer

tom

31 Jan 2011
Posts: 379

it does happen post-install - if you go for index.php? (rather than index.php)
ayoub

1 Feb 2011
Posts: 39

Unfortunatly as tom confirmed it happened after install.
I found out playing with the /actions folder and some get and post variables with php scripts if this could help

Thx guys for your quik response

ayoub

2 Feb 2011
Posts: 39

More news about this:

The first time I got this issue i was on localhost(WAMP) and it showed the folders where jojo base is located. However for some reason i have a jojo site (www(dot)mareybat-renovation(dot)com) on a linux VPS and the page does not show the base dir availables. (i only see this to be due to file perms)

In both cases when you try to type anything in the field (even the real folder path) jojo directs you to the install page and since it doesnt exist returns a 404 page.

Thank You
iska

9 Mar 2012
Posts: 1

The problem exist it's true to resolve it i changed index.php to force keep only index.php and erase everything after
if (preg_match("/.*(index.php).*/",$_SERVER['REQUEST_URI'],$brat) && file_exists('config.php') && file_exists('.htaccess')) {
$protocol = ((isset($_SERVER['HTTPS']) &&($_SERVER['HTTPS'] == 'on')) || getenv('SSL_PROTOCOL_VERSION')) ? 'https://' : 'http://';
$actualurl = $protocol . $_SERVER['HTTP_HOST']."/".$brat[1];
if (isset($_SERVER["HTTP_X_FORWARDED_HOST"])) {
$actualurl = $protocol . $_SERVER["HTTP_X_FORWARDED_HOST"]."/".$brat[1];
}
$correcturl = preg_replace('%(.*)/index\\.php$%im', '$1', $actualurl);
header("HTTP/1.1 301 Moved Permanently");
header("Location: $correcturl");
exit;
}
ayoub

9 Mar 2012
Posts: 39

This was already fixed in svn version.
Thx for your reply :)
Back to Forum Index : Back to General Discussion   RSS
You must be logged in to post a reply



You need to Register or Log In before posting on these forums.