/**
*
*
* @param null $UploadPath
* @return bool
*/
public static function canUpload($UploadPath = null)
{
if (is_null($UploadPath)) {
$UploadPath = PATH_UPLOADS;
}
if (ini_get('file_uploads') != 1) {
return false;
}
if (!is_dir($UploadPath)) {
@mkdir($UploadPath);
}
if (!is_dir($UploadPath)) {
return false;
}
if (!isWritable($UploadPath) || !is_readable($UploadPath)) {
return false;
}
return true;
}
define('BASE_URL', $url . (endsWith($url, '/') ? '' : '/') . (USE_MOD_REWRITE ? '' : '?/') . ADMIN_DIR . (endsWith(ADMIN_DIR, '/') ? '' : '/'));
define('BASE_URI', URI_PUBLIC . (endsWith($url, '/') ? '' : '/') . (USE_MOD_REWRITE ? '' : '?/') . ADMIN_DIR . (endsWith(ADMIN_DIR, '/') ? '' : '/'));
} else {
define('CMS_BACKEND', false);
define('BASE_URL', URL_PUBLIC . (endsWith(URL_PUBLIC, '/') ? '' : '/') . (USE_MOD_REWRITE ? '' : '?'));
define('BASE_URI', URI_PUBLIC . (endsWith(URI_PUBLIC, '/') ? '' : '/') . (USE_MOD_REWRITE ? '' : '?'));
}
define('PLUGINS_URI', URI_PUBLIC . CORE_FOLDER . '/plugins/');
if (!defined('THEMES_ROOT')) {
define('THEMES_ROOT', CMS_ROOT . '/public/themes/');
}
if (!defined('THEMES_URI')) {
define('THEMES_URI', URI_PUBLIC . 'public/themes/');
}
// Security checks -----------------------------------------------------------
if (DEBUG == false && isWritable($config_file)) {
// Windows systems always have writable config files... skip those.
if (substr(PHP_OS, 0, 3) != 'WIN') {
echo '<html><head><title>Fresh CMS automatically disabled!</title></head><body>';
echo '<h1>Fresh CMS automatically disabled!</h1>';
echo '<p>Fresh CMS has been disabled as a security precaution.</p>';
echo '<p><strong>Reason:</strong> the configuration file was found to be writable.</p>';
echo '</body></html>';
exit;
}
}
// Init --------------------------------------------------------------------
define('SESSION_LIFETIME', 3600);
define('REMEMBER_LOGIN_LIFETIME', 1209600);
// two weeks
define('DEFAULT_CONTROLLER', 'page');
/**
* Check minimum requirements for Garden.
*
* @since 2.0.0
* @access private
* @return bool Whether platform passes requirement check.
*/
private function _checkPrerequisites()
{
// Make sure we are running at least PHP 5.1
if (version_compare(phpversion(), ENVIRONMENT_PHP_VERSION) < 0) {
$this->Form->addError(sprintf(t('You are running PHP version %1$s. Vanilla requires PHP %2$s or greater. You must upgrade PHP before you can continue.'), phpversion(), ENVIRONMENT_PHP_VERSION));
}
// Make sure PDO is available
if (!class_exists('PDO')) {
$this->Form->addError(t('You must have the PDO module enabled in PHP in order for Vanilla to connect to your database.'));
}
if (!defined('PDO::MYSQL_ATTR_USE_BUFFERED_QUERY')) {
$this->Form->addError(t('You must have the MySQL driver for PDO enabled in order for Vanilla to connect to your database.'));
}
// Make sure that the correct filesystem permissions are in place.
$PermissionProblem = false;
// Make sure the appropriate folders are writable.
$ProblemDirectories = array();
if (!is_readable(PATH_CONF) || !isWritable(PATH_CONF)) {
$ProblemDirectories[] = PATH_CONF;
}
if (!is_readable(PATH_UPLOADS) || !isWritable(PATH_UPLOADS)) {
$ProblemDirectories[] = PATH_UPLOADS;
}
if (!is_readable(PATH_CACHE) || !isWritable(PATH_CACHE)) {
$ProblemDirectories[] = PATH_CACHE;
}
if (file_exists(PATH_CACHE . '/Smarty/compile') && (!is_readable(PATH_CACHE . '/Smarty/compile') || !isWritable(PATH_CACHE . '/Smarty/compile'))) {
$ProblemDirectories[] = PATH_CACHE . '/Smarty/compile';
}
// Display our permission errors.
if (count($ProblemDirectories) > 0) {
$PermissionProblem = true;
$PermissionError = t('Some folders don\'t have correct permissions.', '<p>These folders must be readable and writable by the web server:</p>');
$PermissionHelp = '<pre>' . implode("\n", $ProblemDirectories) . '</pre>';
$this->Form->addError($PermissionError . $PermissionHelp);
}
// Make sure the config folder is writable.
if (!$PermissionProblem) {
$ConfigFile = Gdn::config()->defaultPath();
if (file_exists($ConfigFile)) {
// Make sure the config file is writable.
if (!is_readable($ConfigFile) || !isWritable($ConfigFile)) {
$this->Form->addError(sprintf(t('Your configuration file does not have the correct permissions. PHP needs to be able to read and write to this file: <code>%s</code>'), $ConfigFile));
$PermissionProblem = true;
}
} else {
// Make sure the config file can be created.
if (!is_writeable(dirname($ConfigFile))) {
$this->Form->addError(sprintf(t('Your configuration file cannot be created. PHP needs to be able to create this file: <code>%s</code>'), $ConfigFile));
$PermissionProblem = true;
}
}
}
// Make sure the cache folder is writable
if (!$PermissionProblem) {
if (!file_exists(PATH_CACHE . '/Smarty')) {
mkdir(PATH_CACHE . '/Smarty');
}
if (!file_exists(PATH_CACHE . '/Smarty/cache')) {
mkdir(PATH_CACHE . '/Smarty/cache');
}
if (!file_exists(PATH_CACHE . '/Smarty/compile')) {
mkdir(PATH_CACHE . '/Smarty/compile');
}
}
return $this->Form->errorCount() == 0 ? true : false;
}
/**
* isWritable
*
* will work in despite of Windows ACLs bug
*
* NOTE: use a trailing slash for folders!!!
* see http://bugs.php.net/bug.php?id=27609
* see http://bugs.php.net/bug.php?id=30931
*
* @param string $path File path to check permissions
*
* @return void
*/
function isWritable($path)
{
if ($path[strlen($path) - 1] == '/') {
// recursively return a temporary file path
return isWritable($path . uniqid(mt_rand()) . '.tmp');
} else {
if (@is_dir($path)) {
return isWritable($path . '/' . uniqid(mt_rand()) . '.tmp');
}
}
// check tmp file for read/write capabilities
$rm = file_exists($path);
$f = @fopen($path, 'a');
if ($f === false) {
return false;
}
fclose($f);
if (!$rm) {
unlink($path);
}
return true;
}
$advisories['.travis.yml, file present'] = 'The .travis.yml is still present. This file is only needed for Wolf CMS development. You may want to remove it for added security.';
}
// Is the config file writable?
if (isWritable(CFG_FILE)) {
$advisories['config file, writable'] = 'The configuration file has been found to be writable. We would advise you to remove all write permissions on config.php on production systems. As long as no FATAL level potential security issues were detected with the config.php file, you will still be able to run Wolf CMS.';
}
// Is the 'wolf' directory writable?
if (isWritable(CORE_ROOT . DS)) {
$advisories['core directory, writable'] = 'The Wolf CMS core directory ("wolf/") and/or files underneath it has been found to be writable. We would advise you to remove all write permissions. <br/>You can do this on unix systems with: <code>chmod -R a-w ' . CORE_ROOT . DS . '</code>';
}
// Is the '.htaccess' file writable?
if (isWritable(dirname(__FILE__) . DS . '.htaccess')) {
$advisories['htaccess file, writable'] = 'The Wolf CMS .htaccess file has been found to be writable. We would advise you to remove all write permissions. <br/>You can do this on unix systems with: <code>chmod a-w ' . dirname(__FILE__) . DS . '.htaccess' . '</code>';
}
// Is the 'index.php' file writable?
if (isWritable(dirname(__FILE__) . DS . 'index.php')) {
$advisories['index.php file, writable'] = 'The Wolf CMS index.php file has been found to be writable. We would advise you to remove all write permissions. <br/>You can do this on unix systems with: <code>chmod a-w ' . dirname(__FILE__) . DS . 'index.php' . '</code>';
}
/* RUN CHECKS - WARNINGS */
// Is DEBUG turned on?
if (DEBUG === true) {
$warnings['debug on'] = 'Due to the type and amount of information an error might give intruders when debug is turned on, we strongly advise setting debug to FALSE in production systems.';
}
// Does the docs directory exist?
if (file_exists(CORE_ROOT . DS . '..' . DS . 'docs' . DS)) {
$warnings['docs, directory present'] = 'The documenation directory ("docs/") is still present. You may want to remove it for added security.';
}
/* RUN CHECKS - FATALS */
// fileperms() based checks
if (function_exists('fileperms')) {
// Does the config file have write permissions for the group or the world?
/**
* getServerStats display server information
**/
function getServerStats()
{
global $xoopsModuleConfig, $xoopsDB, $module_handler;
$sql = 'SELECT conf_id FROM ' . $xoopsDB->prefix('config') . ' WHERE conf_name = "theme_set"';
$res = $xoopsDB->query($sql);
list($conf_id) = $xoopsDB->fetchRow($res);
$module =& $module_handler->getByDirname('system');
$config_handler =& xoops_gethandler('config');
$config_theme = $config_handler->getConfig($conf_id, true);
echo "\r\n <div> </div>\r\n <fieldset>\r\n <legend style='font-weight: bold; color: #900;'>" . _MP_XH_TITLE . "</legend>\r\n <div style='padding: 8px;'>\r\n <div>" . _MP_XH_PHPINI . "</div>";
$safemode = ini_get('safe_mode') ? _MP_XH_ON . _AM_WFD_DOWN_SAFEMODEPROBLEMS : _MP_XH_OFF;
$registerglobals = !ini_get('register_globals') ? "<span style='color: green;'>" . _MP_XH_OFF . "</span>" : "<span style='color: red;'>" . _MP_XH_ON . "</span>";
$downloads = ini_get('file_uploads') ? "<span style='color: green;'>" . _MP_XH_ON . "</span>" : "<span style='color: red;'>" . _MP_XH_OFF . "</span>";
echo "\r\n <ul>\r\n <li>" . _MP_XH_SAFEMODESTATUS . $safemode . "</li>\r\n <li>" . _MP_XH_REGISTERGLOBALS . $registerglobals . "</li>\r\n <li>" . _MP_XH_SERVERUPLOADSTATUS . $downloads . "</li>\r\n <li>" . _MP_XH_MAXUPLOADSIZE . " <span style='color: blue;font-weight: bold;'>" . ini_get('upload_max_filesize') . "</span></li>\r\n <li>" . _MP_XH_MAXPOSTSIZE . " <span style='color: blue;font-weight: bold;'>" . ini_get('post_max_size') . "</span></li>\r\n </ul>\r\n <div>" . _MP_XH_GENERAL . "</div>\r\n <ul>\r\n <li>" . _MP_XH_SERVERPATH . " <b>" . XOOPS_ROOT_PATH . "</b></li>\r\n <li>" . _MP_THEME_SET . " <b>" . $config_theme->getConfValueForOutput() . "</b></li>\r\n </ul>";
$write = isWritable();
$copy = isCopyActive();
$rename = isRenameActive();
$copy = isCopyActive();
$delete = isDeleteActive();
echo "\r\n <div>" . _MP_XH_FCTINI . "</div>\r\n <ul>\r\n <li>" . _MP_XH_FCT . " <i>fopen</i>() :" . ($write ? "<span style='color: green;'>" . _MP_XH_ON . "</span>" : "<span style='color: red;'>" . _MP_XH_OFF . "</span>") . "</li>\r\n <li>" . _MP_XH_FCT . " <i>rename</i>() :" . ($rename ? "<span style='color: green;'>" . _MP_XH_ON . "</span>" : "<span style='color: red;'>" . _MP_XH_OFF . "</span>") . "</li>\r\n <li>" . _MP_XH_FCT . " <i>copy</i>() :" . ($copy ? "<span style='color: green;'>" . _MP_XH_ON . "</span>" : "<span style='color: red;'>" . _MP_XH_OFF . "</span>") . "</li>\r\n <li>" . _MP_XH_FCT . " <i>unlink</i>() :" . ($delete ? "<span style='color: green;'>" . _MP_XH_ON . "</span>" : "<span style='color: red;'>" . _MP_XH_OFF . "</span>") . "</li>\r\n </ul>\r\n </div>\r\n </fieldset>";
}
$warnings['debug on'] = 'Due to the type and amount of information an error might give intruders when debug is turned on, we strongly advise setting debug to FALSE in production systems.';
}
if (isWritable(CFG_FILE) && true === DEBUG) {
$warnings['config file writable, debug on'] = 'The configuration file should never be writable in production systems. We advise you to remove write permissions on config.php';
}
if (defined('DEBUG') && false === DEBUG && file_exists(CORE_ROOT . '/install/')) {
$warnings['install, directory present'] = 'The installation directory ("' . CORE_FOLDER . '/install/") is still present. You may want to remove it for added security since this is probably a production system. (DEBUG was set to FALSE)';
}
if (defined('DEBUG') && false === DEBUG && file_exists(CORE_ROOT . '/../docs/')) {
$warnings['docs, directory present'] = 'The documenation directory ("docs/") is still present. You may want to remove it for added security since this is probably a production system. (DEBUG was set to FALSE)';
}
if (defined('DB_DSN') && startsWith(DB_DSN, 'sqlite:' . realpath(dirname(__FILE__)))) {
$warnings['db, sqlite location'] = 'It would appear that the SQLite database file is stored inside of web accessible directory. We strongly recommend that you move the database files.';
}
/* RUN CHECKS - fatals */
if (isWritable(CFG_FILE) && true !== DEBUG) {
$fatals['config file writable, debug off'] = 'Fresh CMS has automatically made itself unavailable because the configuration file was found to be writable. Until this problem is corrected, only this screen will be available.';
}
if (defined('DEBUG') && false === DEBUG && file_exists(CORE_ROOT . '/../security.php')) {
$fatals['security.php, file present'] = 'The security.php file is still present. Please remove it to prevent abuse since this is a production system. (DEBUG was set to FALSE)';
}
/* END CHECKS - DUMP OUTPUT */
?>
<h1>Overview</h1>
<p>Once your Fresh CMS installation is running in production status, you are strongly advised to remove this file ("/security.php") to prevent abuse.</p>
<?php
if (true === DEBUG) {
echo '<p><strong>NOTE:</strong> this check is assuming this installation of Fresh CMS is NOT a production system since DEBUG is set to TRUE. Please <strong>make sure to run this check again</strong> with DEBUG set to FALSE.</p>';
}
?>
<div id="site-title">Wolf CMS - security advisory</div>
</div>
<div id="content">
<?php
/* START CHECKS */
$advisories = array();
$warnings = array();
$fatals = array();
/* RUN CHECKS - ADVISORIES */
// Does the readme.txt file exist?
if (file_exists(CORE_ROOT . DS . '..' . DS . 'readme.txt')) {
$advisories['readme.txt, file present'] = 'The readme.txt is still present. You may want to remove it for added security.';
}
// Is the config file writable?
if (isWritable(CFG_FILE)) {
$advisories['config file, writable'] = 'The configuration file has been found to be writable. We would advise you to remove all write permissions on config.php on production systems. As long as no FATAL level potential security issues were detected with the config.php file, you will still be able to run Wolf CMS.';
}
/* RUN CHECKS - WARNINGS */
// Is DEBUG turned on?
if (DEBUG === true) {
$warnings['debug on'] = 'Due to the type and amount of information an error might give intruders when debug is turned on, we strongly advise setting debug to FALSE in production systems.';
}
// Does the docs directory exist?
if (file_exists(CORE_ROOT . DS . '..' . DS . 'docs' . DS)) {
$warnings['docs, directory present'] = 'The documenation directory ("docs/") is still present. You may want to remove it for added security.';
}
/* RUN CHECKS - FATALS */
// fileperms() based checks
if (function_exists('fileperms')) {
// Does the config file have write permissions for the group or the world?
