Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> RavenNuke(tm) v2.5x
Author Message
derek765
Regular
Regular



Joined: Sep 27, 2012
Posts: 99
Location: Okinawa, Japan

PostPosted: Sat Dec 22, 2012 1:14 am Reply with quote

Was browsing and studying some of RavenNukes coding and came by this in /modules/Your_Account/includes/constants.php

Code:


if (realpath(__FILE__) == realpath($_SERVER['SCRIPT_FILENAME'])) {
   header('Location: index.php');
   exit('Access Denied');
}
//define('RNYA_DOMAINNAME', 'underground-king.com');
//if (($_SERVER['SERVER_NAME'] != RNYA_DOMAINNAME OR $_SERVER['SERVER_NAME'] != RNYA_DOMAINNAME) AND RNYA_DOMAINNAME != '') {exit();}
define('RNYA', true);
?>


Now I uncommented the define and if, and refreshed my website and I got the white screen of death Laughing

Now what I would like to know, how is this providing any extra protection via Your_Account, and what is causing the white screen?
 
View user's profile Send private message Visit poster's website
spasticdonkey
RavenNuke(tm) Development Team



Joined: Dec 02, 2006
Posts: 1693
Location: Texas, USA

PostPosted: Sat Dec 22, 2012 2:12 am Reply with quote

If you are testing this locally, it should produce a white page as the domain does not match, i.e.
define('RNYA_DOMAINNAME', 'localhost');

I tried it on a live site and didn't have any issues, but I don't use www in the url. You could try to echo the value of
echo $_SERVER['SERVER_NAME'];
somewhere (not within that file) as that is what should be defined. It just adds extra security of making sure the module is not somehow being accessed from a remote site (XSS). There are other such protections built-in so I'm not sure it's really necessary. But if you like extra security you should be able to get it working... The white screen is a result of the exit() before any code is rendered, as for some reason the $_SERVER['SERVER_NAME'] and RNYA_DOMAINNAME are not matching for you.

It may be code that was ported/modded from the original CNBYA, but I checked our logs and they don't go back far enough to see the changes to that file; as we lost them a couple years back due to technical issues with our SVN.

Not exactly sure why the OR statement is there because it looks like the same condition twice, but that shouldn't produce a white page.
 
View user's profile Send private message Visit poster's website
derek765







PostPosted: Sat Dec 22, 2012 2:27 am Reply with quote

Where would I echo the value?
 
spasticdonkey







PostPosted: Sat Dec 22, 2012 2:54 am Reply with quote

Anywhere html is normally rendered. Doing within that file is too early as the <body> tag is not open yet. I would probably just add to my theme somewhere temporarily. For instance somewhere in themefooter() or themeheader(). I'm guessing the instructions are incorrect and www should be included. Assuming I'm correct, just make sure you are forcing www on your site address or it will casue problems if accessed without. I believe that setting is in sentinel or possibly preferences if not there.
 
derek765







PostPosted: Sat Dec 22, 2012 6:12 am Reply with quote

Well,

I just added [ Only registered users can see links on this board! Get registered or login! ] to the domain without echoing the value anywhere and now my website loads just fine, guessing that fixed all issues?

Final results:

Code:


if (realpath(__FILE__) == realpath($_SERVER['SCRIPT_FILENAME'])) {
   header('Location: index.php');
   exit('Access Denied');
}
/**
 * enter your domain name here to add an extra layer of protection or leave blank.
 * example shows how to use this with a subdomain
 * define("RNYA_DOMAINNAME", "wwww.yourdomain.com");
 * no www or http just the domain name
 * remove the '//' from the next two lines and insert your domain name for additional security
 * (don't put 'http://' in front of it, your domain name only!
 */

define('RNYA_DOMAINNAME', 'www.underground-king.com');
if (($_SERVER['SERVER_NAME'] != RNYA_DOMAINNAME OR $_SERVER['SERVER_NAME'] != RNYA_DOMAINNAME) AND RNYA_DOMAINNAME != '') {exit();}
define('RNYA', true);
?>
 
montego
Site Admin



Joined: Aug 29, 2004
Posts: 9457
Location: Arizona

PostPosted: Sat Dec 22, 2012 3:43 pm Reply with quote

BTW, I do not recall exactly why that is in there, but I believe it has something to do with our AJAX components in RNYA. So I suspect that it is trying to reduce chances to exploit that. But, I hadn't looked at it in a very long time. I believe kguske did the most work on RNYA when AJAX was introduced.

_________________
Where Do YOU Stand?
HTML Newsletter::ShortLinks::Mailer::Downloads and more... 
View user's profile Send private message Visit poster's website
spasticdonkey







PostPosted: Sat Dec 22, 2012 5:30 pm Reply with quote

If anyone else gets into trying this make sure you either have Force Nuke URL: Yes in NukeSentinel or use other methods to make sure your site cannot be accessed both with and without www. (.htaccess has methods for this too, which can be found on Google)
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> RavenNuke(tm) v2.5x

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©