how to prevent dirrect access to xinha??

temm · 2007-03-12 09:54:34

i do little cms and i like to use xinha with EFM plugin. user should enter login and password before starting work with system. but he could do somthing like this - server_name/xinha/plugins/ExtendedFileManager/backend.php?__plugin=ExtendedFileManager&__function=manager and he could upload any data he wants!! so what should i do to prevent this?? i can write a little php which would take session id from cookie and look in mysql base is it valid session id or not but where should i place this script?? in EFM ?? or maybe other plugins can be used in such way as EFM (i mean dirrectly) so please any suggestions??

ray · 2007-03-12 11:42:04

If you are on a Linux/Unix system: deny writing permission on server_name/xinha/plugins/ExtendedFileManager/demo_images/
Typically this should be already the case by default.

If you are on Windows: edit the config.inc.php file and set

$IMConfig['allow_upload'] = false;

Having done so will prevent anybody who just opens the manger to upload files, because in this case only the default config from config.inc.php is used.

To allow your users to upload file and do anything they want, now use the provided method for configuring EFM by plugin config described here
http://xinha.python-hosting.com/wiki/Pl … ileManager

(Of course you still have to control the access to the page that legitimately opens Xinha and thus EFM, that should be not such a problem, should it?)

Last edited by ray (2007-03-12 16:37:29)

temm · 2007-03-12 13:47:18

No, you don't understand me. Users should have opportunity to upload files on srver, but they should do it using my system another words they shold login first. So it's not about xinha configuration..

hilope · 2007-03-12 14:57:29

Perhaps a .htaccess where only the scripts are allowed to upload is necessary ?!

My htacces knowledge is not so good, so i can't give you an example.

temm · 2007-03-12 15:12:43

thank you it's a good idea and i thought about it but maybe there's a special way to add own login mechanism(some logic to decide shoult plugins work or not)? or .htaccess will be the best decision??

ray · 2007-03-12 16:19:54

I think I understood you quite well. I have edited my above post, I hope it is now clearer what I meant

temm · 2007-03-13 06:32:00

sorry ray i didn't undestand you.. And i should set false for all other allow privileges... but is't special way to avoid opening EFM plugin with default config? I just waht users will have only one way of using EFM only through my script.

And another question as i understood i should delete at least ImageManager plugin couse users could use it to upload files on server and i suppose there's special direct url for this plugin like EFM has.

And that about others plugins? all php files could lead to some sort of security problems. should i del all plugins? and frankly speaking i didn't find articales about security problems in site.. maybe there some common configuration should be done before using xinha and it plugins in real life applications??

temm · 2007-03-13 12:38:42

ray and if follow you advice users still have opportunity to deleting files!..

ray · 2007-03-13 13:10:34

The thing is that you make config.inc.php safe, and configure the directories and permissions you want to allow to your users through the dynamic configuration on a page that you protect. If anybody calls server_name/xinha/plugins/ExtendedFileManager/backend.php?__plugin=ExtendedFileManager&__function=manager directly like you pointed out, they will only get the default settings from config.inc.php.

temm · 2007-03-13 14:01:34

and i should make config.inc.php for ImageManeger to..

and what about InsertPicture plugin
i should config it to??

for examlpe everyone could upnload pics on server by this url
server_name/xinha/plugins/InsertPicture/insertPicture.php?picturepath=

maybe there are some other plugins i should configure?? or i should del all plugins i don't use?

or maybe ther's other way to solve the problem?

Last edited by temm (2007-03-13 14:35:17)

ray · 2007-03-13 14:27:29

Do NOT delete ImageManager if you want to use EFM, there are some shared file in use

don't know about InsertPicture

temm · 2007-03-15 05:06:45

i didn't find the answer so i decided to use htacces

i change a bit my login system at first start i rewrite htacces in xinxa directory in this way

RewriteEngine on
RewriteCond %{HTTP_COOKIE} !c77a3f8e80f558586efb4258f450a552
RewriteRule ^.* - [F,L]

where c77a3f8e80f558586efb4258f450a552 - it's my session id
unfortunately i didn't find better decision...

Xinha Discussion Forum

Announcement

#1 2007-03-12 09:54:34

how to prevent dirrect access to xinha??

#2 2007-03-12 11:42:04

Re: how to prevent dirrect access to xinha??

#3 2007-03-12 13:47:18

Re: how to prevent dirrect access to xinha??

#4 2007-03-12 14:57:29

Re: how to prevent dirrect access to xinha??

#5 2007-03-12 15:12:43

Re: how to prevent dirrect access to xinha??

#6 2007-03-12 16:19:54

Re: how to prevent dirrect access to xinha??

#7 2007-03-13 06:32:00

Re: how to prevent dirrect access to xinha??

#8 2007-03-13 12:38:42

Re: how to prevent dirrect access to xinha??

#9 2007-03-13 13:10:34

Re: how to prevent dirrect access to xinha??

#10 2007-03-13 14:01:34

Re: how to prevent dirrect access to xinha??

#11 2007-03-13 14:27:29

Re: how to prevent dirrect access to xinha??

#12 2007-03-15 05:06:45

Re: how to prevent dirrect access to xinha??

Board footer