Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Jan 31 2019 21:29

    nitriques on 3.0.x

    Redirect loggued in users to AP… Add documentation about unambig… Allow numeric values in schema … (compare)

  • Jan 29 2019 19:40
    timokleemann commented #2861
  • Jan 28 2019 10:50
    animaux commented #2574
  • Jan 25 2019 18:25
    nitriques commented #2865
  • Jan 25 2019 18:23
    wdebusschere closed #2865
  • Jan 25 2019 18:23
    wdebusschere commented #2865
  • Jan 25 2019 18:09
    nitriques commented #2865
  • Jan 25 2019 18:09
    nitriques commented #2865
  • Jan 25 2019 18:07

    nitriques on 3.0.x

    Avoid double insert (write) exe… (compare)

  • Jan 25 2019 18:07
    nitriques closed #2882
  • Jan 25 2019 18:06
    nitriques milestoned #2882
  • Jan 25 2019 18:06
    nitriques labeled #2882
  • Jan 25 2019 18:06
    nitriques assigned #2882
  • Jan 25 2019 18:06
    nitriques review_requested #2882
  • Jan 24 2019 22:06
    wdebusschere commented #2865
  • Jan 24 2019 21:58
    wdebusschere commented #2865
  • Jan 24 2019 21:10
    nitriques commented #2865
  • Jan 24 2019 20:33
    wdebusschere commented #2865
  • Jan 24 2019 20:33
    wdebusschere commented #2865
  • Jan 24 2019 17:57
    nitriques commented #2865
Juraj Kapsz
@jurajkapsz

Heh, wrote this in the wrong chatroom (Symphony Help), so just for record here again:

Guys, count me in when we should have a joint call of Symphony CMS community, I think such idea was mentioned recently. I should be available from april and onwards.

Alexander Rutz
@animaux
I have just finished a major new version of the maplocationfield that gets rid of all Google Maps and Geocoding and uses Openstreetmap/Nominatim instead. It can be used as a drop-in replacement for the former version. Only limitation is that location names in stored fields and datasource filters are not supported any more, only latlng. I’m happy if anyone is interested in testing: https://github.com/animaux/maplocationfield
Alexander Rutz
@animaux
@jurajkapsz The main problem with »a joint call of Symphony CMS community« is that it would need coordination. Don’t know if @nitriques can be around? In my opinion the three most important things would be:
  1. commit critical bugfixes for 2.7.x (is LTS even an issue any more?) in the main repo
  2. commit critical bugfixes for 3.x in the main repo
  3. PHP8 fixes for 2.7.x and 3.x while retaining backwards compatibility with PHP7?
  4. include (more) active members as admins for the github symphonists account in order to check/approve PRs
Is anyone working productively with 3.x? I have not been able to use it at all.
Juraj Kapsz
@jurajkapsz
@animaux yes, if there should be a call, we could put together points we want to talk over. My points are similar if not the same. As of 3.x, I did not tried it yet, it's next on my todo list, I should get to it in about a month or so.
Juraj Kapsz
@jurajkapsz

I have just finished a major new version of the maplocationfield that gets rid of all Google Maps and Geocoding and uses Openstreetmap/Nominatim instead. It can be used as a drop-in replacement for the former version. Only limitation is that location names in stored fields and datasource filters are not supported any more, only latlng. I’m happy if anyone is interested in testing: https://github.com/animaux/maplocationfield

@animaux nice, actually my current project uses maps services (Google), and I was also looking at this extension for backend use but went without it, though the extension was working fine. Anyway, the idea of Openstreetmap/Nominatim is very interesting.

Alexander Rutz
@animaux
@jurajkapsz I’m happy if it’s useful!
Nimantha Harshana Perera
@nimanthaharshana

Hi Everyone,

Hope all of you guys doing well. We are trying to secure our very few Symphony apps until they are migrated to new platform and we ran some security tests against those recently and found that if someone gets into the backend somehow they of course can take control over the server via following steps.

1) Create a new section with a file upload input without any restrictions
2) Upload an htaccess file by letting it run phpcode via a different extension
3) Run malicious php code and gain control over important assets on the server (Possibly the whole server via other possible attacks)

For the above particular issue we got an advice from the security team so that there should be a global file extensions whitelist (Not a blacklist) so that it's not possible to upload files such as .htaccess, .sh, .js etc... Restricting certain file extensions to the file upload input (in a specific section) is not an option here as we are talking about someone who already got into the backend. So only way to avoid this is to have a global level file extension whitelist so uploading any files other than in the whitelist is prohibited. We couldn't find a way to do this in the Apache config level and we think the only possibility would be to have a global level extension that will be in effect on file upload inputs.

Please can you guys share your thoughts on this ? WE STRONGLY BELIEVE THIS RISK COULD BE THERE FOR ALMOST ALL THE SYMPHONY SITES.

PLEASE NOTE THAT WE ARE NOT ALLOWED TO SHARE MORE INFORMATION OTHER THAN THE ABOVE STEPS.

Wannes Debusschere
@wdebusschere
Screenshot 2021-03-08 at 13.55.41.jpg
Screenshot 2021-03-08 at 13.55.54.jpg
i tried to upload a test.php
Alexander Rutz
@animaux

if someone gets into the backend somehow

Hmm. It would have to be a dev-account this someone would need to have access to. With a compromised dev-account I can imagine all kinds of other bad things possible …

Can verify .php upload is blocked.
Bildschirmfoto 2021-03-09 um 11.11.54.png
Alexander Rutz
@animaux
I also tried a php file with no file-extension, that got blocked too.
cylkee
@cylkee
@nimanthaharshana Versions tested?
Alexander Rutz
@animaux
Also, at least in MacOS I am not able to upload an .htaccess file.
Apparently files with NO extension are always blocked.
cylkee
@cylkee
On Windows I can upload a .htaccess
Brian Zerangue
@bzerangue
@animaux - on Mac, in the Finder, Hold down Cmd + Shift + . (dot) ... that way you can upload .htaccess files. Unless it is some server related blocking specific file types with the host (which makes sense).
Alexander Rutz
@animaux
@bzerangue great, thanks!
Phill
@pixelninja
Oh snap, I was about to jump on here and say where is everyone?! But it's been busy! I haven't been getting any notifications... weird :shrug: how is everyone's 2021 going??
Juraj Kapsz
@jurajkapsz

Oh snap, I was about to jump on here and say where is everyone?! But it's been busy! I haven't been getting any notifications... weird :shrug: how is everyone's 2021 going??

hey @pixelninja quite busy, how about you?

Alexander Rutz
@animaux

hey @pixelninja quite busy, how about you?

Same here!

ali77baran
@ali77baran
hi
I want to use symphony
but need to some extention or some develope
for example login with mobile authenticate or change registration form
Phill
@pixelninja
@jurajkapsz @animaux absolutely flat out, can't catch a break!
@ali77baran not sure what you mean sorry
Alexander Rutz
@animaux
@pixelninja Have considered coming to NZ to apply at your place ;) but then we don’t want to uproot our kids.
Moritz Profitlich
@mprofitl

@animaux Are still interested in thoughts on implementing a double-opt-in? I just did it in two projects.

– The section ‹recipients› stores all addresses. It has a hash-id field.
– A person registers -> the entry is saved to the section ‹recipients›. The Event ‹opt-in› is fired.
– The event ‹opt-in› sends a mail to the recipient with a link to a page with the parameter ?email=MAILADDRESS&hash=HASHID&action=opt-in (my idea is to allow changes to the subscription by using other action parameters)
– The double-opt-in page filters the recipients section by mail address and hashid. An event ‹double-opt-in› is attached to the page. A hidden form resaves the entry via Ajax and sets a a field ‹double-opt-in› to true (checkbox)
—The page then displays a confirmation

Two things I would like to improve:

  1. Get rid of the Ajax workaround by firing the double-opt-in event already when opening the page (is that possible?)
  2. Never show the entry ID publicly (which would already be the case when solving (1)). I tried using this obfuscation trick but it seemd to be incompatible with the current Symphony or PHP version.

I’d be delighted to learn about your solution.

Alexander Rutz
@animaux
@mprofitl thanks! My untested idea of implementation is quite similar, I think.

Get rid of the Ajax workaround by firing the double-opt-in event already when opening the page (is that possible?)

You can trigger the event on page load: https://www.getsymphony.com/discuss/thread/69596/

Also you could filter the entry with the e-mail by filtering by hash and not internal id.
So when that particular URL is requested it will run the event and activates the entry thus.
You don’t even need to include the e-mail this way.
So no info is exposed in the activation process at all.
dpinter15
@dpinter15
I've got some weird PHP errors that are preventing my sites from loading. Definitely in over my head... anyone wanna help and take a look at my error log to see if it rings a bell?
Juraj Kapsz
@jurajkapsz
Guys, there is some hacking going on at one of my SCMS site, php files are being uploaded to folders which are writable, don't know if it is through SCMS means or some other way on that hosting / through an existing php script somewhere etc. Can I send those forged php files to someone?
I also need to mention, that other sites on that server are compromised the same way as well, they run either on WordPress or are build on some custom php
Juraj Kapsz
@jurajkapsz
Some more info: As of now, I am sure no SCMS files are altered within the site, I am tracking changes, and I also compared the production version with my local devel site version.
However I don't track cache/tmp files and backend user uploaded media files, which should be images only.
Juraj Kapsz
@jurajkapsz
cylkee
@cylkee
Juraj Kapsz
@jurajkapsz
@cylkee thanks, yes I have that, on every project :) all good on that front. In the meantime, it looks like that attacker's every request to the site was a POST. I denied POST requests across the site, hopefully successfully, will see.
dpinter15
@dpinter15
Anyone have any idea how to fix this?
PHP Warning: Declaration of ExtensionManager::create($name) should be compatible with & Manager::create($name)
PHP Warning: Declaration of FrontendPage::generate($page) should be compatible with XSLTPage::generate()
PHP Fatal error: Uncaught TypeError: Argument 1 passed to GenericExceptionHandler::handler() must be an instance of Exception
Peter Skirenko
@petertron
@dpinter15 Using PHP 5 would be one way.
Peter Skirenko
@petertron
@dpinter15 If you can upgrade your site to a newer version of Symphony, one that is compatible with PHP 7, then that is another solution.