1 (edited by lexazloy 2008-04-12 23:03)

Topic: [extension release] Domain.PunBB

[???? ???? ???-?? ???????? ????????? ??? "? ????? ???????? ??-?????????" ????, ????, ???????????.]

upd version 0.5.

This extension for make new forum without copy files and once DB for all users, posts, topics, etc.

I.e. you have domain example.com and some subdomains like 1.example.com, 2.example.com, 3.example.com and each domain have forum. 1 domain 1 copy PunBB. This sux. I know because i have.

Ok, for my opinion good idea select for all another subdomains some categories from first domain (main copy PunBB). Install first and last copy on example.com and use it copy everywhere.

http://www.punres.org/files.php?pid=502

1) Copy from folder "upload" to you PunBB directory.
2) From folder "extras" copy files to you (sub)domain directory and in index.php change path to you PunBB directory.
3) Set permissions 0777 to folder "extensions/domain/config".
4) In 0.5 in admin panel exists simple domain settings manager: add domain, edit, delete. Use it for make settings.

I know bug with quick jump. Need add some to var $pun_user['g_id'] (footer.php). But, it wrong.

Royal Crown Chinpoko Master, ^_^

2 (edited by lexazloy 2008-04-11 23:06)

Re: [extension release] Domain.PunBB

1 bug with secutity token. I dont know how make it working without ckick "confirm". Have ideas?

upd fix in 0.3.

Royal Crown Chinpoko Master, ^_^

Re: [extension release] Domain.PunBB

Do not use this code on a live site. Just in a quick glance at it I can see it opens a site up to the execution of arbitrary PHP files.

Also, just as a general compatibility note, do not use PHP short tags (<?).

And if you're not sure how to use the CSRF prevention system, take a look at how PunBB uses it. wink

Re: [extension release] Domain.PunBB

Do not use this code on a live site. Just in a quick glance at it I can see it opens a site up to the execution of arbitrary PHP files.

Where?

Royal Crown Chinpoko Master, ^_^

Re: [extension release] Domain.PunBB

if (is_file($file = PUN_ROOT.$_GET['file']))

Re: [extension release] Domain.PunBB

And... And what? Constant PUN_ROOT defined before and like local path.

If you say "it XSS" you need check it first. Ok? wink

Royal Crown Chinpoko Master, ^_^

Re: [extension release] Domain.PunBB

lexazloy: Please don't be rude, I do know what I'm talking about. wink
Prefixing the path with PUN_ROOT just means you need a relative path to the file, it doesn't mean that you're secure. I can put ../../../etc/passwd in there and, assuming I have a layout like /home/smartys/example.com/index.php, the script would obediently load the content of /etc/passwd. Or a malicious script that I uploaded, embedded within an avatar: that would be something like images/avatars/5573.png

Re: [extension release] Domain.PunBB

You right. sad I gix it now.

Royal Crown Chinpoko Master, ^_^

Re: [extension release] Domain.PunBB

Ok. Update my first post.

Royal Crown Chinpoko Master, ^_^

Re: [extension release] Domain.PunBB

Does that now break things like accessing the admin panel?

Re: [extension release] Domain.PunBB

Sorry i dont understand what you say. My english very bad.

Royal Crown Chinpoko Master, ^_^

Re: [extension release] Domain.PunBB

Looking at the code, it seems like it won't act properly for URLs like http://example.com/admin/index.php: is that true?

Re: [extension release] Domain.PunBB

sad
Need sleep. Two stupid error per day.

Fix now.

Royal Crown Chinpoko Master, ^_^

Re: [extension release] Domain.PunBB

Update my first post.

Cool now? smile

Royal Crown Chinpoko Master, ^_^

Re: [extension release] Domain.PunBB

Well, no, the problem is that I could really put an arbitrary number of subdirectories in there and try to use it (eg: admin/index.php, extensions/sample_extension/some_file.php, extensions/sample_extension/some_other_file.html, etc). I don't think there's a clean solution to the problem, really, other than defining some allowed extensions (eg: .php, .htm, .html) and only allowing loading if the file ends in those as well (of course, you probably also need to check for null bytes),

Re: [extension release] Domain.PunBB

Hm. How about simple check like that:

if (
    is_bool(strpos($_GET['file'], '..')) and
    is_file($file = PUN_ROOT.$_GET['file']) and
    in_array(strrchr($_GET['file'], '.'), array('.php', '.html', '.htm', '.tpl', '.txt', '.xml'))
)
    include $file;
else
    include PUN_ROOT.'index.php';
Royal Crown Chinpoko Master, ^_^

Re: [extension release] Domain.PunBB

Well, I would write it as

if (strpos($_GET['file'], '..') === false && is_file($file = PUN_ROOT.$_GET['file']) && in_array(strrchr($_GET['file'], '.'), array('.php', '.html', '.htm', '.tpl', '.txt', '.xml'))
    include $file;
else
    include PUN_ROOT.'index.php';

and also make sure there's no null byte (I can't remember if it could be abused in this case, but I'm relatively sure it could). It still wouldn't be extremely secure, since if I can upload any of those file types I can execute arbitrary PHP on the server.
A better solution might be to see if mod_rewrite can rewrite the requests to the correct folder and append a variable to the query string like "subdomain=test.example.com" which you could then use in a lookup.

Re: [extension release] Domain.PunBB

Yes, i think about it (new mod_rewrite rule) too.

If make in admin panel new menu "domains" with textarea and coma separator list domains. Or like made new menu in PunBB:

domain = caterories list

With new line separator. And if domain exists in domains list append "subdomain=test.example.com&category=categories list".

Tomorow test it.

Royal Crown Chinpoko Master, ^_^

Re: [extension release] Domain.PunBB

I was thinking more along the lines of redoing the extension so it goes something like this:

I own example.com. I want to run two sites, 1.example.com and 2.example.com.
I have one set of files somewhere (not in either folder). I then put a .htaccess in the folder for each site that redirects the request to the real PunBB folder and appends the subdomain= part to the query string.
In the folder for the extension, I have a configs folder. I check if the basename of the subdomain passed exists, and if it does I use that config file. You could have your extension read in its own files in the admin panel to allow editing them/creating new ones.

Does that make sense?

Re: [extension release] Domain.PunBB

Yes. But without admin panel for each domain only on main copy. Or make "global get" $_POST and if is main copy write to database, if is subdomain copy to special config file. But, i dont know how good idea make directory like  extensions/domain/config right 0777.

I have in extensions/domain/config sav configs for subdomains like 1.example.com.php and if in address ?domain=1.example.com.php check and include:

if (is_file($file = dirname(__file__).'/config/'.$_GET['domain'].'.php'))
    include $file;
else
    return;

$pun_domain['base_url'] = 'http://'.$_GET['domain'];
$pun_domain['category'] = $_GET['category'];

And in admin panel (main copy) make submenu for generated empty config files:

1.example.com.php
2.example.com.php
Royal Crown Chinpoko Master, ^_^

Re: [extension release] Domain.PunBB

I wasn't thinking about having admin/options.php save to a different location, but you're right, that probably would be easiest.
And your folder would be no different than PunBB's cache folder. It doesn't have to be 777, PHP just needs permission to write there.

And I like your code, other than the fact that you're again taking arbitrary input from the user ($_GET['domain']) and using it in an include, which is a security flaw.

Re: [extension release] Domain.PunBB

You also do need to check for the null byte

Re: [extension release] Domain.PunBB

Thank you. smile
With $_GET['domain'] just example.

Ok. Tomorrow i make first version. And now go sleep. Thank you for help!

Royal Crown Chinpoko Master, ^_^

Re: [extension release] Domain.PunBB

Well, thank you for being so responsive and for developing such an interesting extension smile

Re: [extension release] Domain.PunBB

can you put all the updates with the extension in a file and post it in punres

MyFootballCafe.com  is Now Online!