im not scared but i do not release any more sinds people like to rename it al i think you have to listen what i say the next timeOriginally Posted by TR10G33K
im not scared but i do not release any more sinds people like to rename it al i think you have to listen what i say the next time
Live preview not working
You should probably secure the configuration files..
Can't stop laughing at that XDYou should probably secure the configuration files..
Yeah, I tested this out yesterday and noticed that.You should probably secure the configuration files..
You need to create a .htaccess file in the Configuration directory with the following:
nice try though.Code:deny from all
Wow shit totally forgot about that..You should probably secure the configuration files..
So either put a deny from all htaccess file in there or just delete the .txts after they are parsed
For IIS:
Open web.config
Under
<rule name="Imported Rule 1">
<match url="^([^.]*)$" ignoreCase="false" />
<action type="Rewrite" url="index.php" />
</rule>
Add
<rule name="RequestBlockingRule1" patternSyntax="Wildcard" stopProcessing="true">
<match url="*" />
<conditions>
<add input="{URL}" pattern="/Boost/Configuration/*" />
</conditions>
<action type="CustomResponse" statusCode="404" statusReason="File or directory not found." statusDescription="The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable." />
</rule>
or, make it a php file =)
Or don't store it in a publicly available folder at all :)
Store all the CMS files in a sub location under www/htdocs/w.e
That's the safest thing to do.
What compelled you to use a text file, of all things?
I think I just died inside. And I can't even begin to explain....
I've been on three hotels that haven't protected that..
I am really sorry about the stupidity where people could see your MySQL Password and fixed it, and uploaded the new version on the main post. But if you didn't portforward port 3306 nobody should've been able to do anything to your hotel
Last edited by azaidi; 03-09-13 at 05:00 PM.
It's not an exploit. It's stupidity. Why on earth are you not putting the configurations in a PHP file which is protected from the public even accessing the file? Did you really think storing database credentials in a .txt file which is on a public webserver is a good idea? If you're stupid enough to do this there must be other flaws in your CMS.
I recommend people do not use this, unless someone who actually knows/cares about server/PHP security is willing to take the time to thoroughly examine the code and give confirmation that it is safe.
Hi guys, there was something wrong with the web.config. If you would change your clothes you get disconnected. So I fixed up the web.config. Also you need to put this in your wwwroot:
https://mega.co.nz/#!hVcgxJhA!M66_YD...ohIrYVVG2TR7QE
And replace your web.config with this:
This is tested on swiftemu.PHP Code:<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="Imported Rule 1">
<match url="^([^.]*)$" ignoreCase="false" />
<action type="Rewrite" url="index.php" />
</rule>
<rule name="RequestBlockingRule1" patternSyntax="Wildcard" stopProcessing="true">
<match url="*" />
<conditions>
<add input="{URL}" pattern="/Boost/Configuration/*" />
</conditions>
<action type="CustomResponse" statusCode="404" statusReason="File or directory not found." statusDescription="The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable." />
</rule>
<rule name="Imported Rule 100">
<match url="^(([A-Za-z0-9\-_]+/)*[A-Za-z0-9\-_]+)?$" ignoreCase="false" />
<conditions logicalGrouping="MatchAll">
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" ignoreCase="false" negate="true" />
<add input="{REQUEST_FILENAME}" matchType="IsFile" ignoreCase="false" negate="true" />
</conditions>
<action type="Rewrite" url="{R:1}.php" />
</rule>
<rule name="Imported Rule 1-1">
<match url="^habblet/xml/promo_habbos$" ignoreCase="false" />
<action type="Rewrite" url="habblet/xml/promo_habbos.php" />
</rule>
</rules>
</rewrite>
<httpErrors>
<remove statusCode="404" subStatusCode="-1" />
<remove statusCode="403" subStatusCode="-1" />
<error statusCode="403" prefixLanguageFilePath="" path="/index.php" responseMode="ExecuteURL" />
<error statusCode="404" prefixLanguageFilePath="" path="/index.php" responseMode="ExecuteURL" />
</httpErrors>
</system.webServer>
</configuration>
Last edited by KevinZuiker; 03-09-13 at 07:55 PM.
There are some things I dont understand.. for example: why do you even save your config as a txt file when in your php code you clearly generate a php file from those txt files. Dump that feature and use ONLY the php files..
Other then that, keep it up. Looks better everytime. You should look up MVC when you have time ;)
