You are here: start » public_demo

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

public_demo [2018/10/26 15:33]
public_demo [2018/10/26 15:33] (current)
Line 1: Line 1:
 +====== Setting up a public demo ======
  
 +Providing a public [[http://​demo.cmsimple-xh.dk/​|demo of CMSimple_XH with back-end access]] is a nice feature for interested users. However, simply uploading a CMSimple_XH installation with some templates and plugins, and publicly announcing the admin password can have disastrous consequences,​ because it is very easy to implant malicious code – consider that arbitrary PHP code can be executed via templates and the content, among others.
 +
 +At the //very least//, make sure that:
 +
 +  * all files that normally can be edited from the back-end are [[filesystem_permissions|write protected]]
 +  * no mails can be sent via the [[mailform]]
 +  * the PHP info can't be accessed
 +  * the [[troubleshooting|debug mode]] is disabled
 +
 +===== Suppress sending of Mails =====
 +
 +Of course, you can just completely [[mailform#​activation|disable the mailform]], but if you want to present the mailform (which seems appropriate for a demo), you should apply something like the following patch:
 +
 +<code diff> cmsimple/​classes/​Mailform.php | 2 +-
 + 1 file changed, 1 insertion(+),​ 1 deletion(-)
 +
 +diff --git a/​cmsimple/​classes/​Mailform.php b/​cmsimple/​classes/​Mailform.php
 +index 5fb0c40..c1860a6 100644
 +--- a/​cmsimple/​classes/​Mailform.php
 ++++ b/​cmsimple/​classes/​Mailform.php
 +@@ -377,7 +377,7 @@ class XH_Mailform
 +         );
 +         ​$message = chunk_split(base64_encode($message));​
 + 
 +-        return mail($to, $subject, $message, $header);
 ++        return true;
 +     }
 + 
 +     /**
 +</​code>​
 +
 +Also make sure to adjust the mailform related language strings where appropriate.
 +
 +===== Disable PHP Info =====
 +
 +This is important so malicious users can't get information which may help them to attack the site (for the same reason, debug mode has to be disabled). You can use something like the following patch:
 +
 +<code diff> cmsimple/​cms.php | 2 +-
 + 1 file changed, 1 insertion(+),​ 1 deletion(-)
 +
 +diff --git a/​cmsimple/​cms.php b/​cmsimple/​cms.php
 +index 54f6762..40ea642 100644
 +--- a/​cmsimple/​cms.php
 ++++ b/​cmsimple/​cms.php
 +@@ -1246,7 +1246,7 @@ if (XH_ADM) {
 +         $o .= XH_sysinfo();​
 +         ​break;​
 +     case '​phpinfo':​
 +-        phpinfo();
 ++        echo '​Sorry,​ PHP info is not available in this demo!';​
 +         exit;
 +     case '​settings':​
 +         $o .= XH_settingsView();​
 +</​code>​
 
You are here: start » public_demo
Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
Valid XHTML 1.0 Valid CSS Driven by DokuWiki