Block Search Engine scanning/indexing...

[craigarno]

pH7 is being considered for a new social site. The acceptance blocking "Feature" for our application is "SEO-Friendly". Our user-base must absolutely be protected from Search Engine indexing. Without the ability to block search engine access to our site, this product can't be used.

PRIVACY is a huge concern.

[polynamaude]

Hi,

You can use robots.txt to limit the search bot actions. You can also use a custom htaccess with limits on the user agents allowed.

But overall, I don't quite get what you are opening as "issue" or problems you've got.

Hope this helps

PM

Le 20 juin 2018 18:01:41 EDT, craigarno notifications@github.com a écrit :

pH7 is being considered for a new social site. The acceptance blocking "Feature" for our application is "SEO-Friendly". Our user-base must absolutely be protected from Search Engine indexing. Without the ability to block search engine access to our site, this product can't be used.

PRIVACY is a huge concern.

-- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/pH7Software/pH7-Social-Dating-CMS/issues/225

-- Polyna-Maude R.-Summerside

[polynamaude]

@craigarno

Have you installed the software and looked at the available options ?

You have all the liberty needed to customize to your needs as the source code is clean, commented and follow standard design pattern (MVC and others).

Hope this help

PM

[craigarno]

To be fair, I had not installed the software. My comment was based on having read your web site claims.

I tried installing your software on Ubuntu 16.04 LTS x64, a production server for a non-production dating site installation test/review. After reading your installation requirements/procedure I had to enable exec() PHP, which seems a bit of a security risk, but I did it anyway for this test.

You can see the mostly not functioning results at https://arno.com/dating My PHP config is here http://arno.com/info.php and from inspection it looks like the database built correctly. mysql Ver 14.14 Distrib 5.7.22, for Linux (x86_64) using EditLine wrapper ph7_admins ph7_admins_attempts_login ph7_admins_log_login ph7_admins_log_sess ph7_ads ph7_ads_affiliates ph7_affiliates ph7_affiliates_attempts_login ph7_affiliates_countries ...

Install reported it completed successfully: Woohoo! pH7CMS is now installed!

I can't login as administrator, myself, or using my email address Instructions seemed straightforward, they just didn't result in a functioning system.

Every attempt to login results in "The requested URL /dating/login was not found on this server."

I tried running https://arno.com/dating/WebsiteChecker.php and it just immediately returns to the non-functioning site home page.

Without a functioning system I can't determine how/if security can be handled as needed. Apparently I need help with this install.

[polynamaude]

@craigarno Look through others issue and you'll find one about mod_rewrite. Make sure it's enabled and modify your htaccess if the installation folder is not on the root (/) of your server. I'd recommend creating a dedicated vhost linked to a particular hostname in apache.

It would be a good choice (in life) to substantiate affirmation instead of making assumption without knowledge. You made the assumption of a privacy problem based on very litte information and that is SEO optimised. Did you know that Google's engine will calculate page loading time to establish your site ranking. So when this software compress your pages and minify the scripts then it's part of SEO. Does this type of SEO imply a breach of privacy ? Big doubt here so let's go on.

When our software sends the required type of searchbot tags to get your Google Juice flowing smoothly in your site but without spilling around we also call it SEO. Security breach ? I still have doubt !

I'll need more to understand how SEO friendly can be interpreted as a privacy or secue issue in this context.

Ever used Joomla ? Is it because it's SEO optimised with robots keywords and metatags that it means that you get all your content indexed, password protected or not. Does this system bypass your different security level and user groups?

Same for WordPress, Drupal, Noodle, Magento and .... pH7CMS !

Like I mentioned earlier you have many options to control search engines but that's far from the pH7CMS subjects.

Honestly, it doesn't look as a professional way to act when you judge before you see.

As I see the links you gave for your site then update your htaccess file or move your site to a web root.

If we can offer such resources efficiency then it's because software abilities are push to the limit for webserver. That's why mod_rewrite is needed and a custom htaccess. It will be much easier to move to a root folder than to modify configuration.

Also, could you explain why you consider that exec() constitutes a security breach in the present case ? Or is it simply a loose comment ?

Do those change and your website will work. Pretty normal that you get a 404 as the rewrite system will call the base /init.ph7 or /index.php and that's probably a different system in your case.

Don't forget to star the repo as this is our paycheck for the hard work done over the years.

You can go to /_doc once installed and you'll get your documentation.

Also, little trick make your installation as standard as possible when you start using a software (root folder of webserver in our case) as you just make it harder on yourself to customize the standard procedure without knowing a product.

PM

[polynamaude]

@craigarno You can look at the source code and you'll get a good idea about security involved as it was a priority when designed. As it is said in the literature.

Security also reside upon your ingress and how you configured your webserver. It's not a one stop job and even less something you'll get away without hand editing configuration file. Out of the box and point-click solution are designed to fail as the basis of failed security is exactly finding vulnerability in default installation. So customized is the way to go.

Look at the htaccess file enclosed and you'll get a good idea about filtering user-agents for unwanted.

Also for a security conscious guy, I'd install by test server not accessible from Internet.

PM

[pH-7]

Hi @craigarno All users registered to your website can choose to exclude their profile from search engine from their privacy settings.

Now, if you want to exclude all profile from search engines index (without giving the possibility to your users), you will have to modify one line of code, since the option isn't available for the moment in the admin panel.

Add

$this->excludeProfileFromSearchEngines();

in _protected/app/system/modules/user/controllers/ProfileController.php, line 60

You can do the same for "Dating-Style Profile Page" (it enabled in Admin Panel -> Mods -> Enable/Disable Modules), add

$this->excludeProfileFromSearchEngines();

in _protected/app/system/modules/cool-profile-page/controllers/MainController.php, line 52

[polynamaude]

@pH-7 Hi ! Thanks for adding this information. It was indeed a good idea to "extract till you die" when you built the basis of pH7Cms as it does make easier to customize what isn't in the admin panel yet.

Thanks for the teaching part.

PM

[zeerprettiggestoord]

About the teaching part.... Im using codecademy to brush up on my html and css knowledge.. Unfortunately they dont have a course in php anymore.

Do you guys know a similar free website to learn php?

Op do 21 jun. 2018 19:25 schreef Polyna-Maude R.-Summerside < notifications@github.com>:

@pH-7 https://github.com/pH-7 Hi ! Thanks for adding this information. It was indeed a good idea to "extract till you die" when you built the basis of pH7Cms as it does make easier to customize what isn't in the admin panel yet.

Thanks for the teaching part.

PM

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/pH7Software/pH7-Social-Dating-CMS/issues/225#issuecomment-399181387, or mute the thread https://github.com/notifications/unsubscribe-auth/AcIBCbs6ExyRilX717mbDrVXo2Ynq97zks5t-9bxgaJpZM4UwDrM .

[polynamaude]

@zeerprettiggestoord Hi ! Could you post your question onto the issue that it is relating ? We are already dealing with a subject here and the goal is not to finish with a "spaghetti" of different thread unrelated to each other.

We did actually close your issue but it shouldn't make it impossible for you to write a message.

Also if you appreciate the value added support that is given then it would be a good thing that you answer when we make you suggestions. Our paycheck come from the appreciation of the users so instead of letting us close a thread when you got the solution you could give a simple "thank you for your help" . If you're not sure what I'm talking about then see #213

Also I'd suggest you read back what I said in the last message of #207 and refer you to Stackoverflow or Google. When I did talk about programming support what I meant was if you needed help for coding relating to pH7CMS. What you asked here is something you could find answer pretty easily by yourself.

Like I said, you're just influencing the attitude people will be giving you so if you ask such question you're at risk of just getting ignored on the long run. Honestly, I just type "php tutorial training" on Google and got many result pretty easily.

PM

[craigarno]

On 6/21/2018 2:18 AM, Polyna-Maude R.-Summerside wrote:

Also, could you explain why you consider that exec() constitutes a security breach in the present case ? Or is it simply a loose comment ?

Unless functions like exec() are implemented with great care, thought, and the rest of the system is locked down, again with great care, exec() allows execution of arbitrary code.

Consider exec("./install-rootkit"), or exec("cat /etc/passwd")

How could pH7 be fooled into executing these strings? (The devil is in the details) Does pH7 allow uploads? (yes) Are pH7 files writable? (yes, all installed files appear to be set to "-rwxrwxrwx" which means any file can be rewritten by any user, including www-data, which makes it much easier to find a way to inject the two simple "exec()" examples)

A quick Google search finds this https://stackoverflow.com/questions/3115559/exploitable-php-functions

... keep thinking like this and it shouldn't be long or require much imagination before an exploitable vulnerability is found.  Someone with modest skills bent on causing havoc with pH7 sites shouldn't have too much trouble exploiting a system which is mostly configured by pH7 install software.  This raises the question about how much experience, education, or skill is behind your statement "... security involved as it was a priority when designed."

Any low level "protected" account can be used to install a root-kit.  exec() allows execution of code on the target system.  I'm not about to launch an effort to find vulnerabilities in your design, but just using exec() or other command execution mechanisms on a rewritable system suggests it wouldn't take much skill, effort, imagination, or training to crack a targeted pH7 installation.

Not a loose or idle comment.

[polynamaude]

@craigarno Have you ever did any programming ? When we do use file upload there's sanitizing upon the filename transmitted so there's no possibility of user writting file outside of our control.

Maybe you'd be better with looking at security alert of some other php software so you could see real world example and understand how does those breach work.

It's pretty much what I call loosely held talk what you served me. Basicly sound like "enabling remote login on a server could compromise security if your username and password get discovered".

Good luck !

[polynamaude]

@craigarno you can bypass O/S security and become root user with that much ease ! You're hell of a genius, go work for NSA or MI5 and stop wasting your time with social dating.

[polynamaude]

@craigarno What that seem to be out of your understanding is that most pH7CMS site are operated by developper who build upon our work but you seem much more to be looking for something that won't require you to write a line of code. So instead of complaining you can fork, make the great mofification you suggest then do a Pull Request. So we'll all learn and benefit from the years of experience you got.

Easy to complain but can you do better?

[polynamaude]

@craigarno If you look at pH7Cms, when configurer with supplied htaccess you'll be directing your request to index.php and from there the request will be analyzed to serve the good controller. There's restriction imposed by the server.

Indeed there's possibility of file upload but we don't use any input from the user and identify the file type as images or we simply don't even go to saving it.

To be able to control what is executed by exec you need the ability to get control over the string used in the exec function and those are hard coded.

So the way we work is much like PDO prepared statements that are used to prevent SQL injection.

To believe that because we use exec() the arbitrary code could be executed is the same as saying that a web application is open to XSS because it uses Ajax or simply accept information through a POST/GET request.

I surely understand that you did search about this function and got some warning. But to really understand what I'm saying you can go look at Joomla or Drupal security feed to see what is a vulnerability, get metasploit framework and look into the exploit as there's nice example in modules/exploit/unix/webapp/joomla_media_upload_exec.rb . It works on old version of Joomla and was fixed long ago but is good for knowledge. You can also look at offensive security exploit database.

I can understand that you put high priority on security but the warning you got is something we all get and that we deal with.

If you ask PH he could confirm but exec() is only used for calling a local curl to get web page loaded into the cache. But that's only valid for pH7CMS as some external library use such call from memory that is Symfony components and Stripe. It's a function used in many packages when doing PHP.

Use grep and search the code to find occurrences if you want to see.

PM

[pH-7]

@zeerprettiggestoord You have a lot of good and and very complete PHP tutorials on Udemy https://www.udemy.com/courses/search/?q=php

[pH-7]

@craigarno Concerning your issue with 404 pages, maybe it's because Apache rewrite mod isn't correctly setup https://ph7cms.com/doc/en/how-to-install-rewrite-module or because .htaccess wasn't uploaded correctly to your root folder, etc. Anyway, it's a problem with your web server.

Like what @polynamaude said. There are already several other closed/solved issues with similar problem with Apache mod_rewrite.

[zeerprettiggestoord]

@ph7 thank you very much!

Op vr 22 jun. 2018 13:18 schreef ♚ PH⑦ Soria ♛ notifications@github.com:

@craigarno https://github.com/craigarno Concerning your issue with 404 pages, maybe it's because Apache rewrite mod isn't correctly setup https://ph7cms.com/doc/en/how-to-install-rewrite-module or because .htaccess wasn't uploaded correctly to your root folder, etc. Anyway, it's a problem with your web server.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/pH7Software/pH7-Social-Dating-CMS/issues/225#issuecomment-399409433, or mute the thread https://github.com/notifications/unsubscribe-auth/AcIBCR3q5wy8alJU37o0debpky84_Tbaks5t_NKggaJpZM4UwDrM .

[pH-7]

@craigarno Concerning the exec() function. If your web server is well configured and your server safe from intrusion, it's not risky to enable it. FYI, thousands of well-known websites use it without any troubles.

Anyway, you can still disable it! exec function is only used for the Video module (to execute FFmpeg program) and "Upgrade"/"Third-Party Module" installation wizard. If you disable it, just disable the Video module (Admin -> Mods -> Enable/Disable Modules) and don't use the "Upgrade"/"Third-Party Module" installation wizard from the admin panel, and you will be fine with it.

[pH-7]

P.S. Finally, don't forget to Star the Github repo and leave a nice review. All hard work here are make by volunteers, so I would really appreciate if you could do something like this ;)

[polynamaude]

@pH-7 Hi, I found exec() in the Symfony dependency but I got it wrong as Stripe is using curl_exec.

I looked at Video.class.php and everything look pretty much clean as the command is hard coded (ffMpeg), same for options, the parameter come from inside pH7Cms and nothing is possible to get user controlled.

The main failling point on big PHP projects is opening the API to extensions that won't be secured as the core because often ill-tested. Nothing we get close here. There's also the necessity for backward compatibility that messes everything on the long run.

I'm running some XSS tests and other security hunting. I'll send you the results when completed.

Thanks for adding correction.

[pH-7]

@polynamaude Thanks for these details! 😃 That's great for the XSS tests you are running :)

[pH-7]

I'm closing this issue now, since initial question has been answered, and it now goes to other unrelated things. Please open a new issue for further matters.

Remember, one issue = ONE question/problem.

[polynamaude]

@pH-7 Good thing to be reminded one issue/one thing

[lock[bot]]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. Thanks, Pierre-Henry