mgcjerry.net
Welcome to my simple place online.

Navigation

Stats
The Home page has been viewed 12,481 times.
We received a total of
26,602
page views since
December 27, 2015


Current Events - Behind the scenes of index.php
Posted by: MGCJerry on Apr 23, 2016 @ 19:58 EDT
Last Edited: Never
downvote story upvote story Score: 1.00
2 people like this story! 1 people hate this story.

I had originally posted this on my other site, but now this one is getting it bad now too.

Lately I've been seeing a lot of people trying to load /etc/passwd using this CMS. Sorry my friends, the $_GET[page] request URI doesn't work like this. index.php?page=../../../../../../../../../../../../../../../../../etc/passwd

This CMS code does NOT work like this:
include($_GET['page']);

Here is how this CMS loads pages in a step by step...
First off, $_GET & $_POST are NOT used directly.
1. Bans are checked against the list. If your IP is found in the block list, all you get is a banned page and the script exits.
2. Rogue Admin rules (which are set by admins) are checked. I have "../" as a rule that triggers a ban. As well as "http://" or even "ftp://". If Rogue Admin finds these - anywhere, it carries out the action that is configured for that rule and ALL site variables are set to false. Since remote requests are not utilized, I have bans setup for them. This CMS cannot load remote resources anyhow- By design.
3. "api.sanitation" Removes all non-text characters for $_GET['page'] (quotes, slashes, dots, punctuation, etc) Note: "api.sanitation" is the only place where $_GET and $_POST are used. All variables get a first sanitation pass and creates a new global. This global is used exclusively in the CMS. If nothing is left after sanitation, the variables are unset entirely. The result is this will show you the home page.
4. After sanitation, "header.php" fetches the current list of all pages (The menus stem from this output). If you are requesting a specific page and the page exists in the list AND is enabled, AND you have permission to see it, the "header.php" will tell "index.php" what page to load from the database. If the page doesnt exist in the page list, you will get a 404 error page. If you are not allowed to see the page you get a 403 error.

Your URI actually NEVER sees the database, or is ever used in a database query. It is compared to a current list of pages, and the script will build its query from its own results, never yours. Even if I deleted the http & ftp rules, there is an include restriction built into modules system where it will once again only load a local file if it is present in its own list AND in a specific location. Else all you get is a 404, and I get am includes error report.

Hope you enjoyed this look behind the scenes. Remember, reading is your friend. You don't want to look like a dingus because you didn't read the documents its bad for your image.

Oh, this is also NOT Joomla, PHPNuke (or any clone), or Wordpress so those administration or rpc pages do NOT exist. Period

Comments are disabled for this story

Public Ban List
Posted by: MGCJerry on Mar 30, 2016 @ 16:14 EDT
Last Edited: Never

After some thought, all my sites will now share a ban list. I will periodically merge the bans from all my sites and apply them to each site.

Comments are disabled for this story

Mini Rant - Spamming
Posted by: MGCJerry on Feb 20, 2016 @ 17:02 EST
Last Edited: Never
downvote story upvote story Score: -1.00
4 people like this story! 5 people hate this story.

Just a minor rant based on the status of my 3 main sites.

It seems a few sites are on a hell of a spamming spree over the last few months now that I have more complete logging abilities. These sites are of questionable purposes. They don't work at all with Noscript and there is NO WAY IN HELL I will see what they do without any kind of protection.
• hvd-store.com
• burger-imperia.com
• pizza-imperia.com

I won't call them a SCAM because I haven't used their product or services but buyer beware when dealing with these domains!. My trust meter on these sites registers a big, fat ZERO.

Anyone who possesses these referers in their browser or attempts to contact form spam will be automatically banned. Typically the system is slightly more lenient but for these 3 sites, the system is much more aggressive. These bans will not be overturned. Excessive bans from a particular IP address allocation will result in that entire block being banned server-side. A few blocks are already close to being server banned.

Comments are disabled for this story

Some Updates
Posted by: MGCJerry on Jan 10, 2016 @ 10:19 EST
Last Edited: Jan 10, 2016 @ 10:19 EST
downvote story upvote story Score: -1.00
5 people like this story! 6 people hate this story.

There have been a few changes. There is now a simple "like/dislike" voting system in place. Coming soon is a news comments system complete with a like & dislike as well. Once you vote on an item, you cannot change your vote, or undo your vote. That may change in the future.

Comments are disabled for this story

mgcjerry.net, New CMS.
Posted by: MGCJerry on Dec 27, 2015 @ 16:51 EST
Last Edited: Jan 10, 2016 @ 10:08 EST
downvote story upvote story Score: 0.00
5 people like this story! 5 people hate this story.

mgcjerry.net is now once again running the latest version of my in-house CMS system. It has been made more modular, new template engine, and now runs using MariaDB. Looking to the future and newer software.

Do note that this site is now running everyone's favorite anti-spam, anti-hacker system "Rogue Admin". This installed version is much nicer to attackers, but still locks people out for doing stupid things.

Comments are disabled for this story

19 Total (4 Pages, 5 per page)

1 2 3 4 ... Next Last


[ Home | MX12 Lumamod | Kerbal Names | Contact Us | Poser 6 | Carrara 6 | Video Conversion | Site Map ]
[ ISO8859-1 Table | Public Ban List ]

This page was generated in 0.00846 seconds using 16 queries.
This page consumed 1.32 MB of memory during its creation.

MGCMS Programming by MGCJerry
Copyright © 2007-2012, 2014, 2015, 2016
ALL RIGHTS RESERVED