Closed prbt2016 closed 4 years ago
Hello @BSteelooper;
There is an issue with the syntax in this function in the latest patch file i.e data/inc/functions.admin.php:
You need to change this function i.e :
function requestedByTheSameDomain() { if(isset($_SERVER['SCRIPT_URI'])){ $myDomain = $_SERVER['SCRIPT_URI']; } elseif(isset($_SERVER['SCRIPT_URI'])){ $myDomain = $_SERVER['SCRIPT_URI']; } else { $myDomain = $null; } if(isset($_SERVER['HTTP_REFERER'])){ $requestsSource = $_SERVER['HTTP_REFERER']; } else { $requestsSource = $null; } if ($mydomain != $null and $requestsSource != $null ){ return parse_url($myDomain, PHP_URL_HOST) === parse_url($requestsSource, PHP_URL_HOST); } else { show_error("Be carefull with clicking links, they might compromise your website. Your installation is not secured with measures to protect it.", 1); return $true; } }
to
function requestedByTheSameDomain() { if(isset($_SERVER['SCRIPT_URI'])){ $myDomain = $_SERVER['SCRIPT_URI']; }else { $myDomain = null; } if(isset($_SERVER['HTTP_REFERER'])){ $requestsSource = $_SERVER['HTTP_REFERER']; } else { $requestsSource = null; } if ($myDomain != null and $requestsSource != null ){ return parse_url($myDomain, PHP_URL_HOST) === parse_url($requestsSource, PHP_URL_HOST); } else { show_error("Be carefull with clicking links, they might compromise your website. Your installation is not secured with measures to protect it.", 1); return true; } }
I drafted a new release: https://github.com/pluck-cms/pluck/releases/tag/4.7.11-dev2 Can you verify this. I think it will solve the issues. Only changing the $null tot NULL was not the problem. the handling I created wrong.
On CentOS there are $_Server variables missing or not filled in which are available on other distributions.
Could you verify it works on your install?
Thanks @BSteelooper,
The patch works absolutely fine as now you have used $_SERVER['HTTP_HOST'] to check the domain. But since $_SERVER['HTTP_REFERER'] is not getting detected it throws this error i.e
Be carefull with clicking links, they might compromise your website. Your installation is not secured with measures to protect it. This is due to the condition i.e elseif ($myDomain == NULL || $requestsSource == NULL).
if ($myDomain != NULL && $requestsSource != NULL && (strcmp(trim($myDomain), trim($referelDomain)) === 0) ){
return true;
} elseif ($myDomain == NULL || $requestsSource == NULL) {
show_error("Be carefull with clicking links, they might compromise your website. Your installation is not secured with measures to protect it.", 1);
return true;
} else {
return false;
}
Is this the correct way it is supposed to work ?
Yes this is the correct way for this version. I am working on a different solution where I don’t have to rely on the REFERER. But this impacts every part of the site and will not be ready easily. The REFERER is send through the browser and if it is not available the privacy settings in your browser are to strict. If you click a submit link in a mail or through an other website which is crafted to hyjack your website this is possible if your browser does not send the REFERER. If I remove this elseif, you will not be able to access the admin panel.
I will release 4.7.11 later today
Thanks for the release @BSteelooper .!!!
Hello ,
After successful manual installation of Pluck 4.7.10 . I get the following issue while accessing the admin panel i.e :
Notice: Undefined index: SCRIPT_URI in /{{PATH}}/{{TO}}/{{PLUCK}}/data/inc/functions.admin.php on line 654
Notice: Undefined index: HTTP_REFERER in /{{PATH}}/{{TO}}/{{PLUCK}}/data/inc/functions.admin.php on line 655
Warning: Cannot modify header information - headers already sent by (output started at /{{PATH}}/{{TO}}/{{PLUCK}}/data/inc/functions.admin.php:654) in /{{PATH}}/{{TO}}/{{PLUCK}}/admin.php on line 305
I checked by print_r($_SERVER) to check whether these superglobal variables are present and I found that these aren't present. As the function requestedByTheSameDomain() in /{{PATH}}/{{TO}}/{{PLUCK}}/data/inc/functions.admin.php uses '$_SERVER['SCRIPT_URI']' and '$_SERVER['HTTP_REFERER']' for parsing URLs and these aren't found, so it throws the above issue.
I tested the script on the following environment :
PHP Version - 7.0 Apache Version - 2.2.34 O.S - CentOS release 6.4 (Final)
I also tested on another server with same above configuration and on Apache 2.4.39. There too I get the same issue. There too i checked with print_r for '$_SERVER['SCRIPT_URI']' and '$_SERVER['HTTP_REFERER']' weren't present.
Could you please check and replicate this issue at your end and fix this asap?