Markdown CMS bypasses htaccess file - content-management-system

I'm using Pico CMS, a small markdown project - http://pico.dev7studios.com/- installed and running good, however I am trying to password protect a folder with htaccess file but the cms is bypassing this and showing the file I call in the browser.
The funny thing is that the url for the file does not contain the "content" folder which is where all the files/pages are stored. All the other folders are contained in the url. This is the only reason that I can find to explain what's happening.
If I manually enter the url to that same folder, which is password protected, which includes the "content" folder in it's path, then I get the htaccess auth window showing. This proves the htaccess file is being read, but not when the CMS accesses it. Can anyone explain why and how to force the folder to be protected when I call any page with the browser.

If you open up a Pico site, your request is redirected to the index.php file (via mod_rewrite). That's why the "content" folder does not show up in the url.
That's also the reason why you are not asked for a password. The index.php file does not have to pass the htaccess auth to get to the *.md files.
Read this for a bigger picture:
https://stackoverflow.com/a/10923542/3294973
This plugin may be interesting to you:
https://github.com/jbleuzen/Pico-Private
Unfortunately, it can't protect only part of the website at this point.
Protecting single pages is now possible. (Check my GitHub Fork)

Related

XAMPP - how to set root folder of website in htdocs?

I installed XAMPP and created simple website (a folder 'website' in htdocs folder) that contains a link Info.
If I type localhost/website in browser I get a default homepage. But if I click the link, it goes to localhost/info (which does not exist), instead of localhost/website/info. I could use <a href="/website/info">, but it would be weird to refactor all the links when changing site name.
So what is the usual setting or solution that people uses when developing sites in XAMPP?
You have to change DocumentRoot in httpd.conf file to folder. In your example where you have website directory.
For more sites, you have to have more hosts and then set virtual hosts.
Here is link how to do that in Win. But point is the same in all OS.

installation of zen-cart 1.5: renaming admin folder and redirect error

I installing Zen Cart v1.5, and am at the last steps of the process where I'm required to rename the admin folder. I renamed the folder, and tried to access the admin section by manually typing in the address with the renamed folder. However, it keeps trying to redirect back to the original admin url, giving me the following error:
The requested URL /admin/alert_page.php was not found on this server.
(alert.php is just the page that warns me I need to rename the admin folder -- it's trying to redirect back to this page, even though I renamed the folder.)
This seems to indicate some error with a config file, though the instructions for installation explicitly said that with the current version, it is not necessary to change the config files. (Though, just for good measure I examined the includes/configuration.php file to see if there was an admin folder value I could set, but didn't see any).
I also reloaded the browser cache, to no avail.
Based on where your root zen-cart is installed, you'll want to edit your configure.php file which holds the path to tell Zen cart where the 'ADMIN' directory is located.
For example, I renamed my admin folder to 'control', so I would look for the configure.php file at:
/home/user/public_html/control/includes/configure.php
Look for the defines:
define('DIR_WS_ADMIN', '/admin/');
define('DIR_WS_CATALOG', '/');
define('DIR_WS_HTTPS_ADMIN', '/admin/');
define('DIR_WS_HTTPS_CATALOG', '/');
You'll want to change this to reflect the new folder name you renamed your ADMIN folder to:
define('DIR_WS_ADMIN', '/control/');
define('DIR_WS_CATALOG', '/');
define('DIR_WS_HTTPS_ADMIN', '/control/');
define('DIR_WS_HTTPS_CATALOG', '/');
Hope this helps.
Same question and solution for it!
https://www.zen-cart.com/showthread.php?203681-it-doesn-t-work-after-I-renamed-admin-folder-name

Expression Engine Site hacked - Locate redirect

I have an Expression Engine website of I try to clean up. The database has been given many new users so it seems the database has been hacked / links added. One mayor issue is that the site when clicked in Google is being bypassed. All visitors are being redirected to another website. Here is the search : http://tinyurl.com/72nzutj . First site is the one in question.. The site they are redirected to is http://sweepstakesandcontestsinfo.com/nl-in.php?nnn=555
I have been trying to find this redirect in all files and the database, but I have had no luck. It is not a .htaccess redirect, that I have checked and confirmed. But I have not been able to locate a JScript or PHP redirect in the files nor database as of yet.. Probably well hidden because of a base64 or packed encryption. Ideas?
NB no clean database version available
The redirects are happening from a compromise to your site's .htaccess file, and are only affecting clickthrus from popular search engines. Accessing the site directly has no effect, and helps keep the malware from being detected.
Look for the following code in your site's directory and remove it:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*(msn|live|altavista|excite|ask|aol|google|mail|bing|yahoo).*$ [NC]
RewriteRule .* http://sweepstakesandcontestsinfo.com/nl-in.php?nnn=555 [R,L]
</IfModule>
You may need to view "hidden files" in your FTP client or use ls -al from the command line to view your .htaccess file.
After you've got the problem fixed, you'll want to make sure you're running the most recent version of ExpressionEngine (EE 1.7.1 or EE 2.3.1 as of this writing), as well as any third-party Add-Ons.
Auditing your server's access_logs may help identify the vulnerability that led to the compromise, and looking at the modification timestamp on the files in your website directory.
A variant of this attack has already affected many WordPress installations, whereby a tiny base64_encoded JavaScript snippet was added just before the closing </body> tag, which lead to visitors being served a malware-infected Adobe Flash Player download.
Ask your web host. It seems that incoming visitors with a referrer other than the site are redirected but pasting your website (no referrer) directly into the location bar works.
This question is better off at ServerFault or ITSecurity.

Change document-root on Shared-host?

When you deploy a Zend Framework website to a shared host, you usually cannot change the DocumentRoot to point at the public/ folder of the website. As a result the URL to the website is now http://www.example.com/public/.
Apart from choosing a proper host..there's any workaround?
thanks
Luca
If you have access to directories above public, you can put all non public files there.
Otherwise, you can put everything in a subdirectory, and block access to it with an .htaccess file.

Problems with setting the path for Zend framework, needed for Youtube API

I copied & pasted this text here. It seems the editor seems to format some parts randomly. ;)
I downloaded ZendGdata 1.9.6, extracted it & uploaded it to my site's
root folder ..., which I need for use with Youtube API to get videos onto my site.
I must say I’m new to all this, and so I would appreciate taking this into account.
The library folder is at /ZendGdata/library.
The problem I'm having is Step. 3 when I follow instructions
(http://code.google.com/intl/de-DE/apis/gdata/articles/php_client_lib.html#gdata-installation)
for setting it up for that purpose.
Download the Google Data Client Library files.
Decompress the downloaded files. Four sub-directories should be
created:
demos — Sample applications
documentation — Documentation for the client library files
library — The actual client library source files.
tests — Unit-test files for automated testing.
Add the location of the library folder to your PHP path (see the next section)
One of the suggested locations to add the path, apart from the .htaccess file is in php.ini.
My site is on shared hosting. I have no access to the main php.ini file, but I’m allow to create one if I need one. For Drupal CMS, for some functions, it suffices placing one in the root folder.
I added this line:
include_path=".:/usr/lib/php:/usr/local/lib/php:/home/habaris6/
public_html/site.root.folder/ZendGdata/library";
When I however go to mysite.com/ZendGdata/demos/Zend/Gdata/InstallationChecker.php to test the set up, like is mentioned in the
documentation on Youtube, I get the error:
PHP Extension ErrorsTested No errors found
Zend Framework Installation Errors: Tested 0
Exception thrown trying to access Zend/Loader.php using 'use_include_path' = true.
Make sure you include Zend Framework in your include_path which currently
contains: .:/usr/lib/php:/usr/local/lib/php
SSL Capabilities Errors: Not tested
YouTube API Connectivity Errors: Not tested
So my question is: Is that the correct way to “Add the location of the library folder to your PHP path” ?
I’m a bit mixed up.
Someone was saying the php.ini file is only active in the folder where it is located. If that is the case, which of the ZendGdata folders should have it?
As I said, my purpose is to have a the Zend framework properly set up to allow using Youtube API, something I also yet have to learn to do.
In Youtube API Google group, I was referred here. The documentation coming with the downloaded file & at zend.com pre-supposes, one knows much more than some beginners like me.
Another person said I try placing this
$clientLibraryPath = '/home/habaris6/public_html/site.root.folder/ZendGdata/library';
$oldPath = set_include_path(get_include_path() . PATH_SEPARATOR . $clientLibraryPath);
in mysite.com/ZendGdata/demos/Zend/Gdata/InstallationChecker.php
Whereas everything I had tried before failed, except fot the first test, when I placed the above snippet in the installation checker, I got positive tests for everything:
Ran PHP Installation Checker on 2009-12-09T21:16:08+00:00
PHP Extension ErrorsTested: No errors found
Zend Framework Installation Errors Tested No errors found
SSL Capabilities ErrorsTested No errors found
YouTube API Connectivity ErrorsTested No errors found
Does it mean if I place that snippet in install checker, all scripts needing the library can access it?
If not, please let me know what exactly to place in the self-made php.ini & in which folder(s) it should be.
Should that not work, and I were to use .htaccess files, what exactly, based on the folders mentioned above should be the content & exactly which folders should they be in? I read that the .htaccess files should be placed in each folder. Does it really mean I should place one in each of the ZendGdata folders?
I would be grateful for any guidance enabling me to finally start, after failing to sufficient get responses elsewhere.
Thanks in advance.
It's not necessary to put all the ZendGdata code under your website document root. In fact, as a rule I don't put PHP class libraries in a location that can be accessed directly by web requests, because if there's any way to do mischief by invoking the class files directly, then anyone can do it.
Instead, put libraries outside your document root and then reference them from scripts that are run directly. For example, you could create a directory phplib as a sister to your public_html directory. Then upload the ZendGdata bundle under that phplib directory.
You can set your PHP include path in a .htaccess file. You don't need to create a .htaccess file in every directory, because the directives in any .htaccess file apply to all files and directories under the directory where the .htaccess resides. See http://httpd.apache.org/docs/2.2/howto/htaccess.html for more information.
So I would recommend creating a .htaccess file at /home/habaris6/public_html/site.root.folder containing the following directives:
<IfModule mod_php5.c>
php_value include_path ".:/usr/local/lib/php:/home/habaris6/phplib/ZendGdata/library"
</IfModule>
See http://php.net/manual/en/configuration.changes.php for more info on this.
Note that this assumes your webhosting company allows you to use .htaccess files, and that they allow you to use the php_value directive in .htaccess files. Enabling these options is an Apache configuration and they could have their own policies against that for reasons of performance or security. You should contact them for this answer; no one on the internet can answer questions about your hosting provider's policies.
If you choose to use the set_include_path() PHP function to append a directory to your runtime include path, you need to do this in each file that serves as a landing point for a web request. That is, if you permit a request to be made directly to foo.php then you need to add the code to foo.php. Any files or classes subsequently included by foo.php use the include path you defined.
Note also that whatever method you use to define the include path, it has to take effect before your script tries to load any PHP class files via the include path. The .htaccess method should accomplish this, and if you use the code method you just have to put the code high enough in your PHP script.
I don't use the method of creating a custom php.ini file under each directory within your site document tree. That's a new feature of PHP 5.3.0, not supported by earlier versions of PHP. If you're using Apache you should just use .htaccess for the same effect.