You are here: start » plugin_tutorial_security

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

plugin_tutorial_security [2014/08/14 22:03]
127.0.0.1 external edit
plugin_tutorial_security [2018/10/26 15:33]
Line 1: Line 1:
-====== Plugin Tutorial: Security ====== 
  
-This is not the place to explain general security issues and how to prevent them, but a few notes regarding CMSimple_XH in particular seem to be appriate. For general security related issues and solutions see [[https://​www.owasp.org/​index.php/​Main_Page|OWASP]]. ​ 
- 
-===== Direct Access ===== 
- 
-The plugin files index.php and admin.php are included by CMSimple_XH automatically,​ and often a plugin includes other files as well. It is easily overlooked, however, that these files usually can be requested directly. This can lead to all kinds of vulnerabilities,​ especially when register_globals is enabled on the server. So any PHP file that does contain any executable code besides declarations (i.e. classes, functions and consts((the value of the consts consiting of literal values only))), should be protected from direct access. A simple solution is to put the following at the top of the file: 
-<​code=php>​if (!defined('​CMSIMPLE_XH_VERSION'​)) { 
-    die('​Access denied'​);​ 
-}</​code>​ 
-If you prefer, you can send the appropriate 403 HTTP response header also, or alternatively to any message. 
- 
-===== XSS ===== 
- 
-This is already dealt with in the chapter about [[plugin_tutorial_escaping#​x_html_output|escaping]]. 
- 
-===== CSRF ===== 
- 
-FIXME to be written 
- 
-<< [[plugin_tutorial_javascript|JavaScript]] 
 
You are here: start » plugin_tutorial_security
Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
Valid XHTML 1.0 Valid CSS Driven by DokuWiki