Providing a public demo of CMSimple_XH with back-end access is a nice feature for interested users. However, simply uploading a CMSimple_XH installation with some templates and plugins, and publicly announcing the admin password can have disastrous consequences, because it is very easy to implant malicious code – consider that arbitrary PHP code can be executed via templates and the content, among others.

At the very least, make sure that:

• all files that normally can be edited from the back-end are write protected
• no mails can be sent via the mailform
• the PHP info can't be accessed
• the debug mode is disabled

Of course, you can just completely disable the mailform, but if you want to present the mailform (which seems appropriate for a demo), you should apply something like the following patch:

 cmsimple/classes/Mailform.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 
diff --git a/cmsimple/classes/Mailform.php b/cmsimple/classes/Mailform.php
index 5fb0c40..c1860a6 100644
--- a/cmsimple/classes/Mailform.php
+++ b/cmsimple/classes/Mailform.php
@@ -377,7 +377,7 @@ class XH_Mailform
         );
         $message = chunk_split(base64_encode($message));
 
-        return mail($to, $subject, $message, $header);
+        return true;
     }
 
     /**

Also make sure to adjust the mailform related language strings where appropriate.

This is important so malicious users can't get information which may help them to attack the site (for the same reason, debug mode has to be disabled). You can use something like the following patch:

 cmsimple/cms.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 
diff --git a/cmsimple/cms.php b/cmsimple/cms.php
index 54f6762..40ea642 100644
--- a/cmsimple/cms.php
+++ b/cmsimple/cms.php
@@ -1246,7 +1246,7 @@ if (XH_ADM) {
         $o .= XH_sysinfo();
         break;
     case 'phpinfo':
-        phpinfo();
+        echo 'Sorry, PHP info is not available in this demo!';
         exit;
     case 'settings':
         $o .= XH_settingsView();