User edit bug

Next topic

Author	Message
Zinistry Vacana	Monday 19 May 2003 8:03:52 am I've seen that there are some problems with security with http://www../user/edit/** and have also red that if you install the demodata and use it for a site..the demo-setup is not secure. I'm using this for a site..just deleted the demodata in the admin-interface, and changed pagelayout.tpl, so how can I secure my site? Have installed the User edit bug fix patch. Are there any more things I have to do to get a secure eZ publish site?
Jo Henrik Endrerud	Tuesday 20 May 2003 10:14:04 am A virtual host setup is usually more secure than a non virtual host setup. This is because you can use Apache's rewrite rules. If you are running a non virtual host setup, you should make sure that all your site.ini.append (and other .append files) are renamed to site.ini.append.php and place everything in these files inside PHP comments. ex: <?php /* [my block] myvariable=3 */ ?> This will help if people get a way to access these files directly (then they will be parsed in the PHP module and all comments are stripped, so the file will be empty for the user). You should also use the wash() function wherever appropriate. Check the template section on http://ez.no/sdk for more information about this Jo Henrik Endrerud \| System Developer @ Seeds Consulting \| http://www.seeds.no

Author

Message

Monday 19 May 2003 8:03:52 am

I've seen that there are some problems with security with http://www.**.**/user/edit/** and have also red that if you install the demodata and use it for a site..the demo-setup is not secure.

I'm using this for a site..just deleted the demodata in the admin-interface, and changed pagelayout.tpl, so how can I secure my site?
Have installed the User edit bug fix patch.

Are there any more things I have to do to get a secure eZ publish site?

Jo Henrik Endrerud

Tuesday 20 May 2003 10:14:04 am

A virtual host setup is usually more secure than a non virtual host setup. This is because you can use Apache's rewrite rules.
If you are running a non virtual host setup, you should make sure that all your site.ini.append (and other .append files) are renamed to site.ini.append.php and place everything in these files inside PHP comments.

ex:

<?php
/*
[my block]
myvariable=3
*/
?>

This will help if people get a way to access these files directly (then they will be parsed in the PHP module and all comments are stripped, so the file will be empty for the user).

You should also use the wash() function wherever appropriate. Check the template section on http://ez.no/sdk for more information about this

Jo Henrik Endrerud | System Developer @ Seeds Consulting | http://www.seeds.no

eZ debug

Timing:

Jan 18 2025 04:22:52

Script start

Timing:

Jan 18 2025 04:22:52

Module start 'content'

Timing:

Jan 18 2025 04:22:53

Module end 'content'

Timing:

Jan 18 2025 04:22:53

Script end

Main resources:

Total runtime

1.0364 sec

Peak memory usage

4,096.0000 KB

Database Queries

191

Timing points:

Checkpoint	Start (sec)	Duration (sec)	Memory at start (KB)	Memory used (KB)
Script start	0.0000	0.0070	587.5859	180.8516
Module start 'content'	0.0070	0.8933	768.4375	493.6094
Module end 'content'	0.9003	0.1361	1,262.0469	333.5078
Script end	1.0363		1,595.5547

Checkpoint

Start (sec)

Duration (sec)

Memory at start (KB)

Memory used (KB)

Script start

0.0000

0.0070

587.5859

180.8516

Module start 'content'

0.0070

0.8933

768.4375

493.6094

Module end 'content'

0.9003

0.1361

1,262.0469

333.5078

Script end

1.0363

1,595.5547

Time accumulators:

Accumulator	Duration (sec)	Duration (%)	Count	Average (sec)
Ini load
Load cache	0.0045	0.4312	21	0.0002
Check MTime	0.0019	0.1839	21	0.0001
Mysql Total
Database connection	0.0010	0.0962	1	0.0010
Mysqli_queries	0.9685	93.4535	191	0.0051
Looping result	0.0017	0.1673	189	0.0000
Template Total	1.0062	97.1	2	0.5031
Template load	0.0020	0.1895	2	0.0010
Template processing	1.0042	96.8965	2	0.5021
Template load and register function	0.0002	0.0212	1	0.0002
states
state_id_array	0.0010	0.0938	1	0.0010
state_identifier_array	0.0009	0.0885	2	0.0005
Override
Cache load	0.0016	0.1533	19	0.0001
Sytem overhead
Fetch class attribute can translate value	0.0017	0.1638	3	0.0006
Fetch class attribute name	0.0023	0.2260	2	0.0012
XML
Image XML parsing	0.0008	0.0755	3	0.0003
class_abstraction
Instantiating content class attribute	0.0000	0.0007	2	0.0000
General
dbfile	0.0022	0.2143	21	0.0001
String conversion	0.0000	0.0006	3	0.0000
Note: percentages do not add up to 100% because some accumulators overlap

Accumulator

Duration (sec)

Duration (%)

Count

Average (sec)

Ini load

Load cache

0.0045

0.4312

0.0002

Check MTime

0.0019

0.1839

0.0001

Mysql Total

Database connection

0.0010

0.0962

0.0010

Mysqli_queries

0.9685

93.4535

191

0.0051

Looping result

0.0017

0.1673

189

0.0000

Template Total

1.0062

97.1

0.5031

Template load

0.0020

0.1895

0.0010

Template processing

1.0042

96.8965

0.5021

Template load and register function

0.0002

0.0212

0.0002

states

state_id_array

0.0010

0.0938

0.0010

state_identifier_array

0.0009

0.0885

0.0005

Override

Cache load

0.0016

0.1533

0.0001

Sytem overhead

Fetch class attribute can translate value

0.0017

0.1638

0.0006

Fetch class attribute name

0.0023

0.2260

0.0012

XML

Image XML parsing

0.0008

0.0755

0.0003

class_abstraction

Instantiating content class attribute

0.0000

0.0007

0.0000

General

dbfile

0.0022

0.2143

0.0001

String conversion

0.0000

0.0006

0.0000

Note: percentages do not add up to 100% because some accumulators overlap

CSS/JS files loaded with "ezjscPacker" during request:

Cache	Type	Packlevel	SourceFiles
	CSS	0	extension/community/design/community/stylesheets/ext/jquery.autocomplete.css extension/community_design/design/suncana/stylesheets/scrollbars.css extension/community_design/design/suncana/stylesheets/tabs.css extension/community_design/design/suncana/stylesheets/roadmap.css extension/community_design/design/suncana/stylesheets/content.css extension/community_design/design/suncana/stylesheets/star-rating.css extension/community_design/design/suncana/stylesheets/syntax_and_custom_tags.css extension/community_design/design/suncana/stylesheets/buttons.css extension/community_design/design/suncana/stylesheets/tweetbox.css extension/community_design/design/suncana/stylesheets/jquery.fancybox-1.3.4.css extension/bcsmoothgallery/design/standard/stylesheets/magnific-popup.css extension/sevenx/design/simple/stylesheets/star_rating.css extension/sevenx/design/simple/stylesheets/libs/fontawesome/css/all.min.css extension/sevenx/design/simple/stylesheets/main.v02.css extension/sevenx/design/simple/stylesheets/main.v02.res.css
	JS	0	extension/ezjscore/design/standard/lib/yui/3.17.2/build/yui/yui-min.js extension/ezjscore/design/standard/javascript/jquery-3.7.0.min.js extension/community_design/design/suncana/javascript/jquery.ui.core.min.js extension/community_design/design/suncana/javascript/jquery.ui.widget.min.js extension/community_design/design/suncana/javascript/jquery.easing.1.3.js extension/community_design/design/suncana/javascript/jquery.ui.tabs.js extension/community_design/design/suncana/javascript/jquery.hoverIntent.min.js extension/community_design/design/suncana/javascript/jquery.popmenu.js extension/community_design/design/suncana/javascript/jScrollPane.js extension/community_design/design/suncana/javascript/jquery.mousewheel.js extension/community_design/design/suncana/javascript/jquery.cycle.all.js extension/sevenx/design/simple/javascript/jquery.scrollTo.js extension/community_design/design/suncana/javascript/jquery.cookie.js extension/community_design/design/suncana/javascript/ezstarrating_jquery.js extension/community_design/design/suncana/javascript/jquery.initboxes.js extension/community_design/design/suncana/javascript/app.js extension/community_design/design/suncana/javascript/twitterwidget.js extension/community_design/design/suncana/javascript/community.js extension/community_design/design/suncana/javascript/roadmap.js extension/community_design/design/suncana/javascript/ez.js extension/community_design/design/suncana/javascript/ezshareevents.js extension/sevenx/design/simple/javascript/main.js

Cache

Type

Packlevel

SourceFiles

CSS

extension/community/design/community/stylesheets/ext/jquery.autocomplete.css
extension/community_design/design/suncana/stylesheets/scrollbars.css
extension/community_design/design/suncana/stylesheets/tabs.css
extension/community_design/design/suncana/stylesheets/roadmap.css
extension/community_design/design/suncana/stylesheets/content.css
extension/community_design/design/suncana/stylesheets/star-rating.css
extension/community_design/design/suncana/stylesheets/syntax_and_custom_tags.css
extension/community_design/design/suncana/stylesheets/buttons.css
extension/community_design/design/suncana/stylesheets/tweetbox.css
extension/community_design/design/suncana/stylesheets/jquery.fancybox-1.3.4.css
extension/bcsmoothgallery/design/standard/stylesheets/magnific-popup.css
extension/sevenx/design/simple/stylesheets/star_rating.css
extension/sevenx/design/simple/stylesheets/libs/fontawesome/css/all.min.css
extension/sevenx/design/simple/stylesheets/main.v02.css
extension/sevenx/design/simple/stylesheets/main.v02.res.css

extension/ezjscore/design/standard/lib/yui/3.17.2/build/yui/yui-min.js
extension/ezjscore/design/standard/javascript/jquery-3.7.0.min.js
extension/community_design/design/suncana/javascript/jquery.ui.core.min.js
extension/community_design/design/suncana/javascript/jquery.ui.widget.min.js
extension/community_design/design/suncana/javascript/jquery.easing.1.3.js
extension/community_design/design/suncana/javascript/jquery.ui.tabs.js
extension/community_design/design/suncana/javascript/jquery.hoverIntent.min.js
extension/community_design/design/suncana/javascript/jquery.popmenu.js
extension/community_design/design/suncana/javascript/jScrollPane.js
extension/community_design/design/suncana/javascript/jquery.mousewheel.js
extension/community_design/design/suncana/javascript/jquery.cycle.all.js
extension/sevenx/design/simple/javascript/jquery.scrollTo.js
extension/community_design/design/suncana/javascript/jquery.cookie.js
extension/community_design/design/suncana/javascript/ezstarrating_jquery.js
extension/community_design/design/suncana/javascript/jquery.initboxes.js
extension/community_design/design/suncana/javascript/app.js
extension/community_design/design/suncana/javascript/twitterwidget.js
extension/community_design/design/suncana/javascript/community.js
extension/community_design/design/suncana/javascript/roadmap.js
extension/community_design/design/suncana/javascript/ez.js
extension/community_design/design/suncana/javascript/ezshareevents.js
extension/sevenx/design/simple/javascript/main.js

Templates used to render the page:

Usage	Requested template	Template	Template loaded
1	node/view/full.tpl	full/forum_topic.tpl	extension/sevenx/design/simple/override/templates/full/forum_topic.tpl
2	content/datatype/view/ezxmltext.tpl	<No override>	extension/community_design/design/suncana/templates/content/datatype/view/ezxmltext.tpl
4	content/datatype/view/ezxmltags/paragraph.tpl	<No override>	extension/ezwebin/design/ezwebin/templates/content/datatype/view/ezxmltags/paragraph.tpl
3	content/datatype/view/ezxmltags/line.tpl	<No override>	design/standard/templates/content/datatype/view/ezxmltags/line.tpl
1	pagelayout.tpl	<No override>	extension/sevenx/design/simple/templates/pagelayout.tpl
Number of times templates used: 11 Number of unique templates used: 5

Usage

Requested template

Template

Template loaded

Edit

Override

node/view/full.tpl

full/forum_topic.tpl

extension/sevenx/design/simple/override/templates/full/forum_topic.tpl