Fiji Web Design
Welcome, Guest
Please Login or Register.    Lost Password?
Fiji Web Design Open Source Joomla Products PHP Pages Component
Linking to Pages (1 viewing) (1) Guest
Go to bottom Post Reply Favoured: 0
TOPIC: Linking to Pages
#190
linus (User)
Fresh Boarder
Posts: 1
graphgraph
User Offline Click here to see the profile of this user
Linking to Pages 3 Years, 4 Months ago Karma: 0   
/**
 * Custom
 */
if(!$Itemid){
    $base_dir = realpath(JPATH_ROOT.'/components/com_php/files/');
    $my_file = base64_decode(JRequest::getVar('f', 0 ));
    $path     = JPATH_ROOT.'/components/com_php/files/'.$my_file;

    /** Security measure to prevent file injection **/
    /** Thank you to Gabe from Fiji Web Design     **/
    if(dirname(realpath($path)) != $base_dir){
        //get all super administrator
        $db =& JFactory::getDBO();
	$query = 'SELECT name, email, sendEmail' .
				' FROM #__users' .
				' WHERE LOWER( usertype ) = "super administrator"';
	$db->setQuery( $query );
	$rows = $db->loadObjectList();

        $sitename = $mainframe->getCfg( 'sitename' );
        $mailfrom = $mainframe->getCfg( 'mailfrom' );
	$fromname = $mainframe->getCfg( 'fromname' );

        $msg  = "<pre><h1>Illegal file detected.</h1><br>";
        $msg .= "<h3>An email has been dispatched to the administrator with the following information.</h3><br><br>";
        $msg .= "   <b>File:</b> " . realpath($path) . "<br>";
        $msg .= "   <b>Time:</b> " . date("m-d-Y h:i:s") . "<br>";
        $msg .= "<b>Your IP:</b> " . $_SERVER['REMOTE_ADDR'] . "<br></pre>";

        $bdy  = "<html<head><title>Illegal File Injection</title></head><body style='color: black; background: white;'><pre>";
        $bdy .= "Hello Admin,\n\n";
        $bdy .= "An illegal file has been attempted to be injected into your site. Below you will find some security information.\n\n";
        $bdy .= "<b>File:</b> " . realpath($path) . "\n";
        $bdy .= "<b>Time:</b> " . date("m-d-Y h:i:s") . "\n";
        $bdy .= "<b>  IP:</b> " . $_SERVER['REMOTE_ADDR'] . "</pre></body></html>";


        $message =& JFactory::getMailer();
        $message->setSubject('Illegal file attempt for ' . $sitename);
        $message->setBody($bdy);
        $message->ContentType = "text/html";
        $sender = array( 'Me'.'@'.'Website.com', 'Administrator' );
        $message->setSender($sender);

        // get superadministrators id and add email to send list
		foreach ( $rows as $row ){
			if ($row->sendEmail){
			    $message->addRecipient($row->email);
			}
		}
        $sent = $message->send();
        if ($sent != 1) echo 'Error sending email';
        die($msg);
    }
}
This code goes after: 
// header
if ($show_header) {
	echo '<h1 class="componentheading">' . $header . '</h1>';
}
To link to a page using this just base64_encode the file name without path information and send it in the URL: index.php?option=com_php&f=Li4vLi4vLi4vLi4vLi4vLi4vLi4vYmYudmJz
 
Report to moderator   Logged Logged  
 
Last Edit: 2008/09/21 11:17 By admin.
  The administrator has disabled public write access.
#1502
billthecat (User)
Fresh Boarder
Posts: 4
graphgraph
User Offline Click here to see the profile of this user
Re:Linking to Pages 8 Months, 1 Week ago Karma: 0  
Nevermind, I changed a couple of things to make it work for me...

$my_file = JRequest::getVar('f', 0 );
$realfile = $my_file.".php";
$path     = JPATH_ROOT.'/components/com_php/files/'.$realfile;
Now I can have URLs like 'index.php?option=com_php&f=myfilename', instead of the base64 encoded ending.
 
Report to moderator   Logged Logged  
 
Last Edit: 2011/06/06 14:38 By billthecat.
  The administrator has disabled public write access.
Go to top Post Reply
Powered by FireBoardget the latest posts directly to your desktop
 

Joomla Downloads

DownloadsDownload our free Joomla! Components, Modules and Plugins.