Etomite security vulnerabilities cij

Btw, how would you call the fourth line of code of everysingle page processed to the frontend?
I can’t believe you missed that one!

Would you please elaborate on that toti?

The fourth physical line in the main index.php file is a comment.

The fourth actual line of code, excluding whitespace is a header declaration:



The fourth line of code that renders to the browser is entirely dependent on your template and content.

I could completely be misunderstanding what you’re asking of course.

Sorry I wasn’t so clear!
Yes you found the one I meant the header one
What could be it’s purpose (if not tracking)?

It must be an evil scheme by the W3C then! They’re the evildoers!

http://www.w3.org/TR/P3P/

Great to learn on that! thanks!
I haven’t understood what this is for yet, but I will ask my employees why noone ever use this before in our sites.
Etomite got me too suspicious, but are we ever enough in security

Yeah... when I first started digging through the code, I found that stuff that really caused me to question the true intentions. Regardless of any stated intentions, it served to offer too many justifiable opportunities for outsiders to question either credibility, competence or motive (or all three). It was the first thing to get ripped out of about 10 different files it snaked it’s way through as I recall in MODx.

Well guys .. thanks for all this clarity!

I have to say as soon as i found and used Modx the first time i was converted anyway!
Its a wonderful CMS, and has made my web design job sooo much easier, heres to all the dev team.

I wish i had the php knowledge to help dev... unfortunatly im a php retard ..
If you ever set up a template section tho id be more than glad to submit!

Martyn

Quote from: Lizard at Jan 31, 2006, 08:24 AM

If you ever set up a template section tho id be more than glad to submit!

Martyn

If I am right, you are talking about sharing some nice templates ? Go here and submit.

...and YES! Thanks for all apreciation.

best regards,

zi

Quote from: Lizard at Jan 31, 2006, 08:24 AM

... unfortunatly im a php retard ..
If you ever set up a template section tho id be more than glad to submit!

Martyn

Nice I’m not alone !!

Quote from: toti at Jan 30, 2006, 04:10 PM

But, just to give you an example of the bad thing in the code (so that anybody knows with cms you are using) is that the path to "manager" is hard-coded just about everywhere in the code (the good way would be define it in a constant).
[..]The same apply with "assets" (which is very particular to Etomite / Modx) and many other directories (like the snippets’ one that has nothing to do in publicly designed folder).

First of all thank you for beeing aware of security, your recommendations are good, but I think the thing with pathnames goes more into webserver security. On most apache configurations a simple .htaccess file with "Deny from all" would protect your directories with php include files (say "snippets" or "plugins") in a reliable way.

To enhance security furthermore, you could apply the following directive to the document root of your website:

That would prevent php-code from beeing displayed in case the php engine died/is not running.


Anyway, I like the idea of renaming "manager" to something else - that would be a nice feature. Nevertheless I think the right way subject to security would be to continue making backend login even safer, so that it doesn’t count if someone knows the path or not.

Again, thank you for your support. Please feel free to contact me for any ideas and suggestions related to security.