1
jimbofoxman
Protector - Cleaning up per the advisor

The security advisor has several things for me to do, and I am trying to update my mainfile.php with the bit about precheck and postcheck. So in the 2.3.3 update, I updated the mainfile.dist.php.protector file with my information (as follows) but as soon as I do, I get a blank page on my website.

<?php
/**
 * XOOPS main configuration file
 *
 * You may not change or alter any portion of this comment or credits
 * of supporting developers from this source code or any supporting source code
 * which is considered copyrighted (c) material of the original comment or credit authors.
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 *
 * @copyright   The XOOPS Project http://sourceforge.net/projects/xoops/
 * @license     http://www.fsf.org/copyleft/gpl.html GNU public license
 * @version     $Id: mainfile.dist.php 2540 2008-11-29 20:15:08Z dhcst $
 */

if ( !defined("XOOPS_MAINFILE_INCLUDED") ) {
    
define("XOOPS_MAINFILE_INCLUDED"1);

    
// XOOPS Physical Paths

    // Physical path to the XOOPS documents (served) directory WITHOUT trailing slash
    
define("XOOPS_ROOT_PATH""/home/ipmskala/www/www");

    
// For forward compatibility
    // Physical path to the XOOPS library directory WITHOUT trailing slash
    
define("XOOPS_PATH""/home/ipmskala/www/www/xoops_lib");
    
// Physical path to the XOOPS datafiles (writable) directory WITHOUT trailing slash
    
define("XOOPS_VAR_PATH""/home/ipmskala/www/www/xoops_data");
    
// Alias of XOOPS_PATH, for compatibility, temporary solution
    
define("XOOPS_TRUST_PATH"XOOPS_PATH);

    
// XOOPS Virtual Path (URL)
    // Virtual path to your main XOOPS directory WITHOUT trailing slash
    // Example: define("XOOPS_URL", "http://url_to_xoops_directory");
    
define("XOOPS_URL""http://www.ipmskalamazoo.org");

    
// Shall be handled later, don't forget!
    
define("XOOPS_CHECK_PATH"0);
    
// Protect against external scripts execution if safe mode is not enabled
    
if ( XOOPS_CHECK_PATH && !@ini_get("safe_mode") ) {
        if ( 
function_exists("debug_backtrace") ) {
            
$xoopsScriptPath debug_backtrace();
            if ( !
count($xoopsScriptPath) ) {
                 die(
"XOOPS path check: this file cannot be requested directly");
            }
            
$xoopsScriptPath $xoopsScriptPath[0]["file"];
        } else {
            
$xoopsScriptPath = isset($_SERVER["PATH_TRANSLATED"]) ? $_SERVER["PATH_TRANSLATED"] :  $_SERVER["SCRIPT_FILENAME"];
        }
        if ( 
DIRECTORY_SEPARATOR != "/" ) {
            
// IIS6 may double the  chars
            
$xoopsScriptPath str_replacestrpos$xoopsScriptPath"\\") ? "\\" DIRECTORY_SEPARATOR"/"$xoopsScriptPath);
        }
        if ( 
strcasecmpsubstr($xoopsScriptPath0strlen(XOOPS_ROOT_PATH)), str_replaceDIRECTORY_SEPARATOR"/"XOOPS_ROOT_PATH)) ) {
             exit(
"XOOPS path check: Script is not inside XOOPS_ROOT_PATH and cannot run.");
        }
    }

    
// Database
    // Choose the database to be used
    
define("XOOPS_DB_TYPE""mysql");

    
// Set the database charset if applicable
    
if (defined("XOOPS_DB_CHARSET")) die();
    
define("XOOPS_DB_CHARSET""");

    
// Table Prefix
    // This prefix will be added to all new tables created to avoid name conflict in the database. If you are unsure, just use the default "xoops".
    
define("XOOPS_DB_PREFIX""xxxxxx");

    
// Database Hostname
    // Hostname of the database server. If you are unsure, "localhost" works in most cases.
    
define("XOOPS_DB_HOST""localhost:/tmp/mysql5.sock");

    
// Database Username
    // Your database user account on the host
    
define("XOOPS_DB_USER""xxxxx");

    
// Database Password
    // Password for your database user account
    
define("XOOPS_DB_PASS""xxxxx");

    
// Database Name
    // The name of database on the host. The installer will attempt to create the database if not exist
    
define("XOOPS_DB_NAME""xxxxx");

    
// Use persistent connection? (Yes=1 No=0)
    // Default is "Yes". Choose "Yes" if you are unsure.
    
define("XOOPS_DB_PCONNECT"0);

    
define("XOOPS_GROUP_ADMIN""1");
    
define("XOOPS_GROUP_USERS""2");
    
define("XOOPS_GROUP_ANONYMOUS""3");

    
// Temporary solution for extra protector module. To be refactored
    // Set the following value as true if you want to enable protector module
    
$ENABLE_PROTECTOR true;

    if ( !empty(
$ENABLE_PROTECTOR) ) {
        @include 
XOOPS_TRUST_PATH '/modules/protector/include/precheck.inc.php';
    }
    if (!isset(
$xoopsOption["nocommon"]) && XOOPS_ROOT_PATH != "") {
        include 
XOOPS_ROOT_PATH."/include/common.php";
    }
    if ( !empty(
$ENABLE_PROTECTOR) ) {
        @include 
XOOPS_TRUST_PATH '/modules/protector/include/postcheck.inc.php';
    }
}
?>


If I put back the mainfile.php without the precheck and postcheck it goes back to working fine. What stupid mistake am I missing? Good file below;

<?php
/*
 You may not change or alter any portion of this comment or credits
 of supporting developers from this source code or any supporting source code 
 which is considered copyrighted (c) material of the original comment or credit authors.
 
 This program is distributed in the hope that it will be useful,
 but WITHOUT ANY WARRANTY; without even the implied warranty of
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*/

/**
 * XOOPS main configuration file
 *
 * See the enclosed file license.txt for licensing information.
 * If you did not receive this file, get it at http://www.fsf.org/copyleft/gpl.html
 *
 * @copyright   The XOOPS project https://xoops.org/
 * @license     http://www.fsf.org/copyleft/gpl.html GNU General Public License (GPL)
 * @version        $Id: mainfile.dist.php 2024 2008-08-31 03:24:12Z phppp $
 */

if ( !defined("XOOPS_MAINFILE_INCLUDED") ) {
    
define'XOOPS_MAINFILE_INCLUDED');

    
// XOOPS Physical Paths
    
    // Physical path to the XOOPS documents (served) directory WITHOUT trailing slash
    
define'XOOPS_ROOT_PATH''/home/ipmskala/www/www' );

    
// For forward compatibility
    // Physical path to the XOOPS library directory WITHOUT trailing slash
    
define'XOOPS_PATH''/home/ipmskala/www/www/xoops_lib' );
    
// Physical path to the XOOPS datafiles (writable) directory WITHOUT trailing slash
    
define'XOOPS_VAR_PATH''/home/ipmskala/www/www/xoops_data' );
    
// Alias of XOOPS_PATH, for compatibility, temporary solution
    
define("XOOPS_TRUST_PATH"XOOPS_PATH);

    
// XOOPS Virtual Path (URL)
    // Virtual path to your main XOOPS directory WITHOUT trailing slash
    // Example: define( 'XOOPS_URL', 'http://www.ipmskalamazoo.org' );
    
define'XOOPS_URL''http://www.ipmskalamazoo.org' );

    
define'XOOPS_CHECK_PATH');
    
// Protect against external scripts execution if safe mode is not enabled
    
if ( XOOPS_CHECK_PATH && !@ini_get("safe_mode") ) {
        if ( 
function_exists("debug_backtrace") ) {
            
$xoopsScriptPath debug_backtrace();
            if ( !
count($xoopsScriptPath) ) {
                 die(
"XOOPS path check: this file cannot be requested directly");
            }
            
$xoopsScriptPath $xoopsScriptPath[0]["file"];
        } else {
            
$xoopsScriptPath = isset($_SERVER["PATH_TRANSLATED"]) ? $_SERVER["PATH_TRANSLATED"] :  $_SERVER["SCRIPT_FILENAME"];
        }
        if ( 
DIRECTORY_SEPARATOR != "/" ) {
            
// IIS6 may double the  chars
            
$xoopsScriptPath str_replacestrpos$xoopsScriptPath"\\") ? "\\" DIRECTORY_SEPARATOR"/"$xoopsScriptPath);
        }
        if ( 
strcasecmpsubstr($xoopsScriptPath0strlen(XOOPS_ROOT_PATH)), str_replaceDIRECTORY_SEPARATOR"/"XOOPS_ROOT_PATH)) ) {
             exit(
"XOOPS path check: Script is not inside XOOPS_ROOT_PATH and cannot run.");
        }
    }

    
// Database
    // Choose the database to be used
    
define'XOOPS_DB_TYPE''mysql' );

    
// Set the database charset if applicable
    
if (defined("XOOPS_DB_CHARSET")) die();
    
define'XOOPS_DB_CHARSET''' );

    
// Table Prefix
    // This prefix will be added to all new tables created to avoid name conflict in the database. If you are unsure, just use the default "xoops".
    
define'XOOPS_DB_PREFIX''xxxxx' );

    
// Database Hostname
    // Hostname of the database server. If you are unsure, "localhost" works in most cases.
    
define'XOOPS_DB_HOST''localhost:/tmp/mysql5.sock' );

    
// Database Username
    // Your database user account on the host
    
define'XOOPS_DB_USER''xxxxx' );

    
// Database Password
    // Password for your database user account
    
define'XOOPS_DB_PASS''xxxxx' );

    
// Database Name
    // The name of database on the host. The installer will attempt to create the database if not exist
    
define'XOOPS_DB_NAME''xxxxx' );

    
// Use persistent connection? (Yes=1 No=0)
    // Default is "Yes". Choose "Yes" if you are unsure.
    
define'XOOPS_DB_PCONNECT');

    
define'XOOPS_GROUP_ADMIN''1' );
    
define'XOOPS_GROUP_USERS''2' );
    
define'XOOPS_GROUP_ANONYMOUS''3' );
    
    if (!isset(
$xoopsOption["nocommon"]) && XOOPS_ROOT_PATH != "") {
        include 
XOOPS_ROOT_PATH."/include/common.php";
    }

}
?>


I am sure it is something stupid. I know I gotta fix the data and lib directories too.

2
Nick_James
Re: Protector - Cleaning up per the advisor

I don't understand the postcheck line:

Quote:
if ( !empty($ENABLE_PROTECTOR) ) {
@include XOOPS_TRUST_PATH . '/modules/protector/include/postcheck.inc.php';


Is the @ needed?

You have it at the start of the include for both the pre check and the post check. However, notice how it is not on the line for the common file inbetween them.

I would suggest that you either do not need it at all, or need it for all three lines.

Try it without for both the pre and post check lines. Like:

Quote:
if ( !empty($ENABLE_PROTECTOR) ) {
include XOOPS_TRUST_PATH . '/modules/protector/include/postcheck.inc.php';


Are the 'if statements' at the beginning for each check and the common file needed?


Mine looks like this:

Quote:
include XOOPS_TRUST_PATH . '/modules/protector/include/precheck.inc.php';
if (!isset($xoopsOption["nocommon"]) && XOOPS_ROOT_PATH != "") {
include XOOPS_ROOT_PATH."/include/common.php";
}
include XOOPS_TRUST_PATH . '/modules/protector/include/postcheck.inc.php';
Nicholas James
President - LaDads
www.ladads.info

3
jimbofoxman
Re: Protector - Cleaning up per the advisor

Well I don't know.....

If I take both the @ symbols out, I get....(same for taking the If's out)

Quote:
Fatal error: Using $this when not in object context in /home/ipmskala/www/www/xoops_lib/modules/protector/class/protector.php


If I leave the if's in and put @'s on everyone..........another blank page.

I'm sure it's just something stupid.......seems to be my normal problem.

4
trabis
Re: Protector - Cleaning up per the advisor
  • 2009/3/25 13:55

  • trabis

  • Core Developer

  • Posts: 2269

  • Since: 2006/9/1 1


There is no problem with the code. @ is used to suppress errors. If protector was removed from your server you would not get an error of "file not found".

Now, I think you have corrupted files. I suggest you upload again the protector files.

Your problem seems to be here:
protector/class/protector.php

5
DonCurioso
Re: Protector - Cleaning up per the advisor

Completely agree with Trabis. Looks up corrupted files. Upload Protector again via FTP or SFTP. Both mainfile´s appears fine.
HispaXoops | Xoops España

That's the way i like it! | Nada mejor que una Alhambra bien helada con aceitunas...

6
jimbofoxman
Re: Protector - Cleaning up per the advisor

Thanks guys, that worked. Uploaded the latest version of protector from GIJoe's site and she's working now.

7
jimbofoxman
Re: Protector - Cleaning up per the advisor

Ok, on to the remaining issues

1. What should really be in my .htaccess file? Right now the only thing in mine is;

RedirectMatch "^/xoops/?$" "http://www.ipmskalamazoo.org"


Which I don't think is needed anymore. I originally setup XOOPS in the XOOPS directory on root to test and setup prior to dumping the old site files. So I think that is a old remnant from the past.

2. If I add the global register off line to it, all I get is a 500 server error. So I am lost on what to do with that.

I know I have to dump the xoops_lib file out of root still to solve that problem as well.


8
jimbofoxman
Re: Protector - Cleaning up per the advisor

Also, I checked with my host about php.ini and they said I can do it. So where should this file be located? In the same directory as my mainfile.php? I've tried it in my root, xoops_lib and xoops_data folders and I still get...

'allow_url_fopen' on   Not secure


Suggestions?

9
ghia
Re: Protector - Cleaning up per the advisor
  • 2009/3/26 1:09

  • ghia

  • Community Support Member

  • Posts: 4953

  • Since: 2008/7/3 1


Add in a .htaccess file:
php_flag register_globals off


@jimbofoxman: You may also edit the last post to add some toughts, rather than create a new one.

10
jimbofoxman
Re: Protector - Cleaning up per the advisor

As soon as I put that line in my .htaccess file I get a 500 server error.

Login

Who's Online

125 user(s) are online (55 user(s) are browsing Support Forums)


Members: 0


Guests: 125


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Mar 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits