Pluck Version 4.7.10 Issue

Question

Pluck Version 4.7.10 Issue

prbt2016 opened this issue 5 years ago · comments

Prashant Tondale commented 5 years ago

Hello ,

After successful manual installation of Pluck 4.7.10 . I get the following issue while accessing the admin panel i.e :

Notice: Undefined index: SCRIPT_URI in /{{PATH}}/{{TO}}/{{PLUCK}}/data/inc/functions.admin.php on line 654

Notice: Undefined index: HTTP_REFERER in /{{PATH}}/{{TO}}/{{PLUCK}}/data/inc/functions.admin.php on line 655

Warning: Cannot modify header information - headers already sent by (output started at /{{PATH}}/{{TO}}/{{PLUCK}}/data/inc/functions.admin.php:654) in /{{PATH}}/{{TO}}/{{PLUCK}}/admin.php on line 305

I checked by print_r($_SERVER) to check whether these superglobal variables are present and I found that these aren't present. As the function requestedByTheSameDomain() in /{{PATH}}/{{TO}}/{{PLUCK}}/data/inc/functions.admin.php uses '$_SERVER['SCRIPT_URI']' and '$_SERVER['HTTP_REFERER']' for parsing URLs and these aren't found, so it throws the above issue.

I tested the script on the following environment :

PHP Version - 7.0
Apache Version - 2.2.34
O.S - CentOS release 6.4 (Final)

I also tested on another server with same above configuration and on Apache 2.4.39. There too I get the same issue. There too i checked with print_r for '$_SERVER['SCRIPT_URI']' and '$_SERVER['HTTP_REFERER']' weren't present.

Could you please check and replicate this issue at your end and fix this asap?

Prashant Tondale · Answer 1 · Fri Nov 08 2019 17:54:26 GMT+0800 (China Standard Time)

Hello @BSteelooper;

There is an issue with the syntax in this function in the latest patch file i.e
data/inc/functions.admin.php:

You need to change this function i.e :

to

Bas Steelooper · Answer 2 · Sat Nov 09 2019 16:07:22 GMT+0800 (China Standard Time)

I drafted a new release: https://github.com/pluck-cms/pluck/releases/tag/4.7.11-dev2
Can you verify this. I think it will solve the issues. Only changing the $null tot NULL was not the problem. the handling I created wrong.

On CentOS there are $_Server variables missing or not filled in which are available on other distributions.

Could you verify it works on your install?

Prashant Tondale · Answer 3 · Mon Nov 11 2019 13:18:03 GMT+0800 (China Standard Time)

Thanks @BSteelooper,

The patch works absolutely fine as now you have used $_SERVER['HTTP_HOST'] to check the domain. But since $_SERVER['HTTP_REFERER'] is not getting detected it throws this error i.e

Be carefull with clicking links, they might compromise your website. Your installation is not secured with measures to protect it. This is due to the condition i.e elseif ($myDomain == NULL || $requestsSource == NULL).

if ($myDomain != NULL && $requestsSource != NULL && (strcmp(trim($myDomain), trim($referelDomain)) === 0) ){
	return true;
} elseif ($myDomain == NULL || $requestsSource == NULL) {
	show_error("Be carefull with clicking links, they might compromise your website. Your installation is not secured with measures to protect it.", 1);
	return true;
} else {
	return false;
}

Is this the correct way it is supposed to work ?

Bas Steelooper · Answer 4 · Mon Nov 11 2019 14:23:35 GMT+0800 (China Standard Time)

Yes this is the correct way for this version. I am working on a different solution where I don’t have to rely on the REFERER. But this impacts every part of the site and will not be ready easily.
The REFERER is send through the browser and if it is not available the privacy settings in your browser are to strict. If you click a submit link in a mail or through an other website which is crafted to hyjack your website this is possible if your browser does not send the REFERER. If I remove this elseif, you will not be able to access the admin panel.

I will release 4.7.11 later today

Prashant Tondale · Answer 5 · Mon Nov 11 2019 19:03:24 GMT+0800 (China Standard Time)

Thanks for the release @BSteelooper .!!!