Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
sixonetonoffun
Spouse Contemplates Divorce


Joined: Jan 02, 2003
Posts: 2496

PostPosted: Wed Mar 31, 2004 12:47 pm Reply with quote

Please try on non production sites first.
Report any issues here if they come up.
Feedback is requested.

Function sslMyurl:
Detects if SSL is active for the current domain.
If not and Shared SSL is available on your server.
You can use Shared SSL for your important pages like logins.
If no Shared SSL is available leave empty.
$shared_ssl = "";
If no SSL is available at all it should do nothing. That is
providing the instructions for calling it are followed.

What is Shared SSL?
This is when your host allows you to access their SSL certificate
Through their domain as top level domain and your directory
below it. Like this. Only registered users can see links on this board! Get registered or login!

$shared_ssl = "www.hosts_https_domain.xxx/~user_name";

Usuage:
Warning* Backup files!

Files to edit = 3:
config.php
mainfile.php
Your_Account/index.php (You can do this with admin too. In fact I recomend it.)

First get the Shared SSL url from your host. If you haven't your own.

Lets Hack the Files:
mainfile.php
Add the function (See Below) to mainfile.php (or any common.php/vars.php this isn't nuke specific).
Just before the closing ?> is fine.

Code:


       function sslMyurl()
       {
       global $shared_ssl;
       if ($_SERVER['HTTPS'] != "on" && (getenv('HTTPS') == 'on'))  {
       $server = $_SERVER['SERVER_NAME'];
       $path = $_SERVER['REQUEST_URI'];
       $sec_url = 'https://'.$server.$path;
       header("location:".$sec_url);
       exit;
        }
       if($shared_ssl != "" && strlen($shared_ssl) > 7){
       $server = $shared_ssl;
       $path = $_SERVER['REQUEST_URI'];
       $sec_url = 'https://'.$server.$path;
       header("location:".$sec_url);
       exit;
        }
       }





Add line to config.php
Code:


$shared_ssl = "www.hosts_https_domain.xxx/~user_name";

replace Only registered users can see links on this board! Get registered or login! with your hosts shared SSl url no trailing slash.
Or if you have your own SSL leave empty.

Your_Account/index.php:
After:
require_once("mainfile.php");
Add:
Code:


 if ($_SERVER['HTTPS'] != "on"){
     sslMyurl();
  }

Next:
You will have to change any header redirects from the current page.
header("location:
With
Example:
Header("Location: modules.php?name=$module_name&file=index");

Must be changed to redirect from Only registered users can see links on this board! Get registered or login! back to Only registered users can see links on this board! Get registered or login!
Watch the slashes! if nukeurl has a trailing slash you don't add one here.
Header("Location: "$nukeurl/modules.php?name=$module_name&file=index");

If nukeurl had a trailing slash for some reason do this instead.
Header("Location: "$nukeurl.modules.php?name=$module_name&file=index");

Note*
$nukeurl will have to be declared in the global function where Header() is called.


Disclaimer*
I haven't tested this much. Then only on PHPNuke6.0!
But don't see where it should create any issues so
long as the instructions are followed. The exception
will be remotely linked images they won't be secure.
But there shouldn't be any in the areas for logins.
anyway you have them in your footer or left column.

Why bother?
Because if you have SSL available this will eliminate 99% of people logging in and raising cain on your site.

Why is that?
Because their real IP is revealed as SSL requires a direct connection to the users PC. More ISP's will respond to positive proof such as SSL connection evidence provides.

Edit* I left out the bit for Your_Account Grr! Ok is there now.
 
View user's profile Send private message
sixonetonoffun
PostPosted: Wed Mar 31, 2004 7:39 pm Reply with quote

Ok so it only kinda works. I'm still having trouble with
header("Location
I even tried using the fopen method.
Seems like the urls almost have to be be hard coded to switch from https to http. Using redirects https seems to corrupt the header. Then everything that requires user to be logged in redirects back to login again which is fine for me... but it isn't for everyone.
Had enough for the day Arrow
 
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17086

PostPosted: Wed Mar 31, 2004 9:31 pm Reply with quote

I think you just need a little tweak Wink

change this
Code:
Header("Location: "$nukeurl.modules.php?name=$module_name&file=index");
to
Code:
Header("Location: ".$nukeurl.".modules.php?name=".$module_name."&file=index");
 
View user's profile Send private message
sixonetonoffun
PostPosted: Fri Apr 02, 2004 11:07 pm Reply with quote

Thanks Raven tip helped.

I'm going to have to check out the sessions and cookie cookie path I think to resolve all "My" issues. But the function is working Gr8! So long as all member functions are performed on the https url.

Lack of sleep was the issue that day for me. I was mistaking the above as an error with redirection when all along I was losing the sessions because of the funky domain stuff with a shared SSL. I have some code that relies on user status and it flaked of course. And when it flakes it does session_unregister() to make a complete circle of it forcing me back to tada! the login page and back to https lol!

I'll get back to it in a couple days.
 
sixonetonoffun
PostPosted: Sat Apr 03, 2004 10:44 pm Reply with quote

I think IIS users would have to add this to the function?
Code:


if(!isset($_SERVER['REQUEST_URI'])) {
       $_SERVER['REQUEST_URI'] = substr($_SERVER['argv'][0], strpos($_SERVER['argv'][0], ';') + 1);
       }


Just added it before someone says this S&$* don't work... wouldn't hurt anyway.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©