slope 2 The Xtreme - Chronicles of Quizorthia Logo endicon
Good morning, Guest Aug 16, 2018

 Navigation
Home
Account
 - Login
 - Register
News
2 The Xtreme
null- Campaigns
null- Characters
null- Races
null- Magic
null- Space
null- Banking
null- Spacecraft
null- Store
null- Children
null- BMI
Test Graphics
null- Carrara 6
null- Isicander Project
null- Poser 6
Contact the GM
Newsletter
Site Map
Public Ban List
 

 Account

Anonymous Avatar
Good morning, Guest


 ► Register
 ► Member List

Username:


Pass Word/Phrase:
Remember Me


[ Register Now ]
It's free

We currently have 83 registered users.
 

 OpenRPG Server
Our OpenRPG server named
2 The Xtreme
is Inactive
 

 Stats
The News page has been viewed 8,883 times.
We received a total of
1,959,957
page views since
June 09, 2002
 



  Current Events - Behind the scenes of index.php      
Posted by: MGCJerry on Apr 11, 2016 @ 16:59 EDT
Last Edited: May 3, 2016 @ 21:24 EDT
downvote story upvote story Score: 3.00
3 people like this story! 0 people hate this story.

Lately I've been seeing a lot of people trying to load /etc/passwd using this CMS. Sorry my friends, the $_GET[page] request URI doesn't work like this. index.php?page=../../../../../../../../../../../../../../../../../etc/passwd

Edited: May 3, 2016
Yea, this doesn't work either. index.php?page=whateverpage=../../../../../../../../../../../../../../../../../etc/passwd

This CMS does NOT work like this:
include($_GET['page']);

Here is how this CMS loads pages in a step by step...
First off, $_GET & $_POST are NOT used directly.
1. Bans are checked against the list. If your IP is found in the block list, all you get is a banned page and the script exits.
2. Rogue Admin rules (which are set by admins) are checked. I have "../" as a rule that triggers a ban. As well as "http://" or even "ftp://". If Rogue Admin finds these - anywhere, it carries out the action that is configured for that rule and ALL site variables are set to false. Since remote requests are not utilized, I have bans setup for them. This CMS cannot load remote resources anyhow- By design.
3. "api.sanitation" Removes all non-text characters for $_GET['page'] (quotes, slashes, dots, punctuation, etc) Note: "api.sanitation" is the only place where $_GET and $_POST are used. All variables get a first sanitation pass and creates a new global. This global is used exclusively in the CMS. If nothing is left after sanitation, the variables are unset entirely. The result is this will show you the home page.
4. After sanitation, "header.php" fetches the current list of all pages (The menus stem from this output). If you are requesting a specific page and the page exists in the list AND is enabled, AND you have permission to see it, the "header.php" will tell "index.php" what page to load from the database. If the page doesnt exist in the page list, you will get a 404 error page. If you are not allowed to see the page you get a 403 error.

Your URI actually NEVER sees the database, or is ever used in a database query. It is compared to a current list of pages, and the script will build its query from its own results, never yours. Even if I deleted the http & ftp rules, there is an include restriction built into modules system where it will once again only load a local file if it is present in its own list AND in a specific location. Else all you get is a 404, and I get am includes error report. For clarity: ?page= does NOT perform ANY file operations of any kind in any portion of the system.

Hope you enjoyed this look behind the scenes. Remember, reading is your friend. You don't want to look like a dingus because you didn't read the documents its bad for your image.

Comments are disabled for this story

     

[ Home | Account | Carrara 6 | News | Isicander Project | 2 The Xtreme | Poser 6 | Contact the GM ]
[ Newsletter | Site Map | Public Ban List | Campaigns | Characters | Races | Magic | Space ]
[ Banking | Spacecraft | Store | Children | BMI ]

This page was generated in 0.02247 seconds using 18 queries.
This page consumed 1.83 MiB of memory during its creation.

MGCMS Programming by MGCJerry
Copyright © 1992-2006, 2008-2012, 2015, 2016 Jerry Meszaros (MGCJerry)
ALL RIGHTS RESERVED
Best Viewed with any modern standards compliant browser.