Page Menu
Home
In-Portal Phabricator
Search
Configure Global Search
Log In
Files
F1047710
security.tpl
No One
Temporary
Actions
Download File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Subscribers
None
File Metadata
Details
File Info
Storage
Attached
Created
Mon, Jun 30, 10:03 AM
Size
2 KB
Mime Type
text/x-php
Expires
Wed, Jul 2, 10:03 AM (9 h, 22 m)
Engine
blob
Format
Raw Data
Handle
677490
Attached To
rINP In-Portal
security.tpl
View Options
<?php
$
heading_tpl = '
<tr class="subsectiontitle">
<td class="%2
$
s" colspan="2" style="border-top: 1px solid #000000; border-bottom: 1px solid #000000;">%1
$
s</td>
</tr>';
$
error_tpl = '
<tr class="table-color2">
<td class="text">%s</td>
<td align="left">%s</td>
</tr>';
$
output = '';
$
write_check = true;
$
check_paths = Array ('/', '/index.php', '/config.php', ADMIN_DIRECTORY . '/index.php');
foreach (
$
check_paths as
$
check_path) {
$
path_secure = true;
if (
$
this->toolkit->checkWritePermissions(FULL_PATH .
$
check_path)) {
$
write_check =
$
path_secure = false;
}
$
status_text =
$
path_secure ? '<span style="color: green;">Secure</span>' : '<span style="color: red;">Vulnerable</span>';
$
output .= sprintf(
$
error_tpl,
$
check_path,
$
status_text);
}
$
skip_check =
$
write_check ? '<input type="hidden" name="skip_security_check" value="' . (int)
$
write_check . '"/>' : '';
$
output = sprintf(
$
heading_tpl, '<strong>Write Permissions Check</strong>' .
$
skip_check, 'text') .
$
output;
if (!
$
write_check) {
$
output .= ' <tr class="table-color2">
<td class="error" colspan="2">
For security reasons it\'s highly recommended to set 755 permissions on above files to prevent hackers from attacking your website!<br /><br /></td>
</tr>';
}
// script execute check
if (file_exists(WRITEABLE . '/install_check.php')) {
unlink(WRITEABLE . '/install_check.php');
}
$
fp = fopen(WRITEABLE . '/install_check.php', 'w');
fwrite(
$
fp, "<?php\n\techo 'OK';\n");
fclose(
$
fp);
$
curl_helper =&
$
this->Application->recallObject('CurlHelper');
/* @var
$
curl_helper kCurlHelper */
$
result =
$
curl_helper->Send(
$
this->Application->BaseURL(WRITEBALE_BASE) . 'install_check.php');
unlink(WRITEABLE . '/install_check.php');
$
execute_check = (
$
result !== 'OK');
$
output .= sprintf(
$
heading_tpl, '<strong>Ability to Execute PHP in Writable Folders</strong>', 'text');
$
status_text =
$
execute_check ? '<span style="color: green;">Secure</span>' : '<span style="color: red;">Vulnerable</span>';
$
output .= sprintf(
$
error_tpl, 'Result of creating and executing PHP file(s) in "/system" (or "/system/images") folder',
$
status_text);
if (!
$
execute_check) {
$
output .= '<tr class="table-color2">
<td colspan="2">
For security reasons it\'s highly recommended disable the access (execution) to PHP files within "/system" folder and it\'s subfolders.
</td>
</tr>
<tr class="table-color2">
<td class="text" colspan="2">
You can do this by:<br/><br/>
<ul style="margin: 0px; padding-left: 15px;">
<li>changing your "httpd.conf" file to deny requests for all "*.php" files</li>
<li>renaming ".htaccess-sample" (located in "/system") to ".htaccess" so it overrides default Apache settings</li>
</ul>
<br/>Note that "AllowOverride LIMIT" option should be enabled by your hosting provider.
</td>
</tr>';
}
echo
$
output;
?>
Event Timeline
Log In to Comment