Jump to content

Archived

This topic is now archived and is closed to further replies.

brochure

define_mainpage.php

Recommended Posts

I've already deleted the filemanager and define_language files.

 

What about deleting define_mainpage.php?

Share this post


Link to post
Share on other sites

Richard,

 

As far as I know, define_mainpage is not a security concern. However, since it is not part of a standard OSC installation I would not positively know for sure if it is vulnerable to hacker attempts or not.

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

Looking at the code it appears to me to be just as vulnerable to hack attempts as the other files mentioned.

:'(


If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Share this post


Link to post
Share on other sites

Hi Jim,

 

What contribution is that from ?

 

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

Hi Jim,

 

What contribution is that from ?

 

 

 

Chris

I found it here

 

I find it vulnerable because it gets contents supplied via the URL and writes it to a file with absolutely no checking of anything going on.


If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Share this post


Link to post
Share on other sites

Ok, yes, I see it now. That contribution hasn't been updated since 2006 either.

 

 

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

Is there any way to fix this ?

 

Thanks


Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Share this post


Link to post
Share on other sites

Is there any way to fix this ?

 

Thanks

Rename the admin folder (like you haven't heard that before! :lol: )

 

Protect the admin with a .htaccess file (^^ :rolleyes: ^^ )

 

Then in /YOUR_ADMIN_FOLDER_NAME/index.php after this line:

 

  require('includes/application_top.php');

ADD this code:

 

  if ( ! tep_session_is_registered('My_Var_Name') ) {
   $My_Var_Name = 'SmVzdXM=';
   tep_session_register('My_Var_Name');
 }

 

Then in /YOUR_ADMIN_FOLDER_NAME/define_mainpage.php after this line:

 

  require('includes/application_top.php');

ADD this code:

 

  if ( $My_Var_Name != 'SmVzdXM=' ) {
   header("Location: http://www.google.com"); 
 }

You should change the value of $My_Var_Name to something else.


If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Share this post


Link to post
Share on other sites

Please explain what your fix accomplishes/does.

And should one do this even if one just deletes the define_mainpage.php file?

Share this post


Link to post
Share on other sites

Thanks Jim,

 

Yes I have changed admin folfer name and used htaccess + all other security mods, but never knew this had a security hole in it.

 

Applied your fix and it works great - in fact so well that I cant use the define mainpage function now - it re-directs me to google!

 

When you say

You should change the value of $My_Var_Name to something else.
do you mean the element
SmVzdXM=
shown in your code?

 

I think your code as written will only direct the owner to Google?

 

Thanks


Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Share this post


Link to post
Share on other sites

The code works for me just as written.

 

I don't have that particular file to protect but I protected another file.

 

The principle is the same no matter what file you apply it to.

 

The vulnerablitly here (if you don't have the admin protected by a .htaccess file) is that files in the admin can be accessed without visiting the login or index page first in the RC versions of osC.

 

This plugs that hole.

 

It works for me.

 

I don't know what to tell you.

:blush:


If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Share this post


Link to post
Share on other sites

Hi Jim,

 

Checked that I copied the code correctly - and I have.

 

The protection works great - ie. requests are sent to google.

 

But when I try to access the define mainpage link from admin panel - I am also re-directed to google. Im not a coder at all, and infact know very little about php, but isnt the statement below telling the system that if the variable My_Var_Name = 'SmVzdXM=' then goto google?

 

if ( $My_Var_Name != 'SmVzdXM=' ) {

header("Location: http://www.google.com");

}


Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Share this post


Link to post
Share on other sites

Hi Jim,

 

Checked that I copied the code correctly - and I have.

 

The protection works great - ie. requests are sent to google.

 

But when I try to access the define mainpage link from admin panel - I am also re-directed to google. Im not a coder at all, and infact know very little about php, but isnt the statement below telling the system that if the variable My_Var_Name = 'SmVzdXM=' then goto google?

 

if ( $My_Var_Name != 'SmVzdXM=' ) {

header("Location: http://www.google.com");

}

No.

 

The code says if $My_Var_Name IS NOT EQUAL TO SmVzdXM= then send the viewer to google.

 

The only way that theoretically can happen is if you haven't been to the index page first.

 

If your admin is behind a .htaccess file this code protection isn't necessary.

 

If you copied the code just as it is I really can't explain why it's not working for you.

:unsure:


If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Share this post


Link to post
Share on other sites

But when I try to access the define mainpage link from admin panel - I am also re-directed to google. Im not a coder at all, and infact know very little about php, but isnt the statement below telling the system that if the variable My_Var_Name = 'SmVzdXM=' then goto google?

 

I also had the same problem. On my local version of my site, this redirection worked as expected, however on my server version of the website, it just redirects to google!

 

Am I right that assuming that, as I have a .htaccess file protecting the admin, there is no need to worry about define_mainpage.php etc? (I have deleted define_languages.php).

Share this post


Link to post
Share on other sites

×