You are here: start » plugin_tutorial_security

Plugin Tutorial: Security

This is not the place to explain general security issues and how to prevent them, but a few notes regarding CMSimple_XH in particular seem to be appriate. For general security related issues and solutions see OWASP.

Direct Access

The plugin files index.php and admin.php are included by CMSimple_XH automatically, and often a plugin includes other files as well. It is easily overlooked, however, that these files usually can be requested directly. This can lead to all kinds of vulnerabilities, especially when register_globals is enabled on the server. So any PHP file that does contain any executable code besides declarations (i.e. classes, functions and consts1)), should be protected from direct access. A simple solution is to put the following at the top of the file:

if (!defined('CMSIMPLE_XH_VERSION')) {
    die('Access denied');

If you prefer, you can send the appropriate 403 HTTP response header also, or alternatively to any message.


This is already dealt with in the chapter about escaping.


This topic is explained in the developer documentation.

« JavaScript

the value of the consts consiting of literal values only
You are here: start » plugin_tutorial_security
Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
Valid XHTML 1.0 Valid CSS Driven by DokuWiki