Proxy doesn't work with Jonty's newest release UberCMS

[PR0]

I'm using UberCMS (LightCMS/IlluminaCMS PRO) and every time a user logs in or registers after I use my proxy, the users IPs all show up as the Proxy's IP.

$db->real_query("UPDATE users SET ip_last = '" . $_SERVER["REMOTE_ADDR"] . "', auth_ticket = '" . $sso . "' WHERE id = '" . USER_ID . "'");

How can I fix the function which saves the IP so it doesn't do that anymore? I'm considering going to RevCMS to use it as a reference since it doesn't do so there :S
@Jonteh ??

[MentaL]

[Jonteh]

What's the contents of your required.php?

[PR0]

<?php

error_reporting(0);


// Block certain browsers to prevent scripting clients
$checking = $_SERVER["HTTP_USER_AGENT"];
$checkFor = "Awesomium";
$checkTwo = "Chrome/23.0.1271.97";
if(strpos($checking, $checkFor) !== false || strpos($checking, $checkTwo) !== false) {
die("Scripting browser detected. If you believe this to be false, please update your version of Google Chrome.");
exit;
}


// Get LightCMS Engine
require_once "engine/lightcms.php";
$light = new LightCMS;

if(isset($_SERVER["HTTP_CF_CONNECTING_IP"])) {
$_SERVER["REMOTE_ADDR"] = $_SERVER["HTTP_CF_CONNECTING_IP"];
}
else if(isset($_SERVER["HTTP_X_FORWARDED_FOR"])) {
$_SERVER["REMOTE_ADDR"] = $_SERVER["HTTP_X_FORWARDED_FOR"];
}

/*if($light->nginxproxy == true) {
$hd = getallheaders();
$_SERVER["REMOTE_ADDR"] = $hd['X-Forwarded-For'];
}*/

// Start LightCMS
$light->exec();

// Connect to DB
$db = new DatabaseManager($light->MySQLi['Hostname'], $light->MySQLi['Username'], $light->MySQLi['Password'], $light->MySQLi['Database'], $light->MySQLi['Port']);

foreach($_POST as $key => $value) {
$_POST[$key] = $db->real_escape_string($value);
}
foreach($_GET as $key => $value) {
$_GET[$key] = $db->real_escape_string($value);
}

// Set Site Variables
//$light->getSiteSettings();

// Start LightCMS Classes
$core = new LightCore;
$users = new UserManager;
$tpl = new LightTemplate;

// Set LightCMS Template Variables
$tpl->setBasicParameters();

if($light->maintenance && !defined("NO_MAINT_HERE") && $_SERVER["REMOTE_ADDR"] != "localhost") {
if(!$users->isLogged()) {
header ("Location: " . WWW . "/maintenance.php");
exit;
}
else if($users->isLogged() && USER_RANK < 6) {
header ("Location: " . WWW . "/maintenance.php");
exit;
}
}

define('maintenance', $light->maintenance);
define('islogged', $users->isLogged() ? "1" : "0");

/*if(USERNAME == "Jonteh") {
die($_SERVER["REMOTE_ADDR"]);
}*/
?>

I totally spaced out before realizing it would probably start from there. I'm new to PHP though so I'm not familiar with the different type of functions. I know the CF one is for coldfusion, not familiar with the others though.

Thanks for the help.
@Jonteh

[Jonteh]

Uncomment

PHP Code:

/*if($light->nginxproxy == true) {
        $hd = getallheaders();
        $_SERVER["REMOTE_ADDR"] = $hd['X-Forwarded-For'];
    }*/ 


and set public $nginxproxy to true in lightcms.php

[TardisHotel]

oh is this the one you got off brens release :-) lol

[PR0]

Uncomment

PHP Code:

/*if($light->nginxproxy == true) {
        $hd = getallheaders();
        $_SERVER["REMOTE_ADDR"] = $hd['X-Forwarded-For'];
    }*/ 


and set public $nginxproxy to true in lightcms.php

Cheers.

oh is this the one you got off brens release :-) lol

Nope. It's the one Johno released. I looked at that one though thinking it had groups but it was just to upload a custom image, and as far as I can see from your site its the same.

Also- I think it's just the register exploits that you're talking about when you say Bren's is unsafe. If so, can you help me secure it? I just don't know how to secure those certain functions, I'm new to PHP and it looks filtered properly to me... idk what else to do so I can secure it.

[TardisHotel]

bren knew the one he released was full of exploits thats why he released it ;-P if you notice mine has bots and groups and is secure as can be :-) I warned everyone not to download it, I don't care who has the same cms as me but that one he released he did so knowing him and his lil gang boys could get into ur hotel.

[PR0]

bren knew the one he released was full of exploits thats why he released it ;-P if you notice mine has bots and groups and is secure as can be :-) I warned everyone not to download it, I don't care who has the same cms as me but that one he released he did so knowing him and his lil gang boys could get into ur hotel.

Um.. I doubt it's got that many exploits in it. Did you scan it at all? I can check that if someone is using that version.

Bots are easily found in versions of UberCMS 2 and coded for other CMS' - it's not hard to add them to Jonty's version and I didn't notice the actual group home pages with forums when I checked, I noticed it was just a page that inserts information into the groups table and probably has something edited in the external_vars to make your custom images compatible. It's cool, but not what I consider groups for a CMS.

[TardisHotel]

Um.. I doubt it's got that many exploits in it. Did you scan it at all? I can check that if someone is using that version.

Bots are easily found in versions of UberCMS 2 and coded for other CMS' - it's not hard to add them to Jonty's version and I didn't notice the actual group home pages with forums when I checked, I noticed it was just a page that inserts information into the groups table and probably has something edited in the external_vars to make your custom images compatible. It's cool, but not what I consider groups for a CMS.

It is the best groups we can get working with Phoenix in client.. Doubt away all you want about the exploits :-)

[PR0]

It is the best groups we can get working with Phoenix in client.. Doubt away all you want about the exploits :-)

Doesn't Phoenix already have groups coded? All that you need to do is get something that inserts the correct information to the groups table in the database and it should work as far as I know.

It can't be that hard to port over groups from an UberCMS edit to Jonty's can it?