Hi,
Firstly, this is a brilliant project. Great stuff, guys! π
I'm sorry that I can't follow conventional means of addressing this problem, as you will see later on. This may be a normal thing but I really doubt it and I have searched for a few hours here and online (including messing around with the settings such as debug being on and off etc).
The problem I'm experiencing occurred when I was having a look at the source code appearance for css/html purpose for possible new skin designs when I stumbled across of seemingly
misplaced PHP script inside the html. This appeared in the source code of the live website while logged in as admin on the admin page... it was an array containing uncensored user-name, name, passwords for not only my account but my database as well (that includes host name, port etc etc). It looks like this (there's soooo much sensitive data in there that I'm editing all values so please tell me if anything could help from it and isn't the key into my system π )
<link rel="stylesheet" type="text/css" href="'skins/Zenlike/style.css'></head>"
<!-- $_SESSION
Array
(
[language] => english
[xsfr] => 1
[token_admin_links_edit] => ******************************
[token_time_admin_links_edit] => ****
[token_category_manager] => ***************************
[token_time_category_manager] => ****
[default] => Array
(
[session.timer.start] => ****
[session.timer.current] => ****
[session.timer.finish] => ****
[session.counter] => 1
)
[installation] => Array
(
[config.db] => Array
(
[hostname] => .***.*.
[hostport] => *
[username] => *******
[userpass] => ****
[database] => ****
)
[config.site] => Array
(
[sitetitle] => *meh, not telling where the security flaw but the server's 403 it**
[adminemail] => *********
[adminpsswd] => ******
)
)
[_useruid] => 1
[_salt] => **************************
[***_skin] => Zenlike
[***_useruid] => 1
[***_salt] => **************************
)
-->
<!-- $_COOKIE
Array
(
[PHPSESSID] => ********************
[mnm_user] => ********
[mnm_key] => ***************************************************
)
-->
<!-- $_POST
Array
(
)
--><!-- SELECT * FROM fanfiction_categories ORDER BY leveldown, displayorder -->
<!-- SELECT charname, catid, charid FROM fanfiction_characters ORDER BY charname -->
<!-- SELECT * FROM fanfiction_classes ORDER BY class_name -->
<!-- SELECT * FROM fanfiction_classtypes ORDER BY classtype_name -->
<!-- SELECT * FROM fanfiction_ratings -->
<!-- SELECT * from fanfiction_pagelinks ORDER BY link_access ASC -->
<!-- SELECT message_text FROM fanfiction_messages WHERE message_name = 'copyright' LIMIT 1 -->
<!-- SELECT categories FROM fanfiction_authorprefs WHERE uid = '1' LIMIT 1 -->
<!-- SELECT * FROM fanfiction_panels WHERE panel_hidden != '1' AND panel_type = 'A' AND panel_level >= 1 ORDER BY panel_level DESC, panel_order ASC, panel_title ASC -->
<!-- SELECT * FROM fanfiction_panels WHERE panel_name = 'settings' AND panel_type = 'A' LIMIT 1 -->
<!-- SELECT * FROM fanfiction_panels WHERE panel_type = 'AS' ORDER BY panel_title -->
<!-- SELECT * FROM ******_fanfiction_settings WHERE sitekey ='****' -->
<body>
All of the areas that have been were uncensored information that I got on the website through the view source on google chrome webrowser (for things that were censored and weren't usernames or passwords etc, I have put the same number of * as characters)... I've already tested on a new user without admin rights and they get the site key, and cookie array but (luckily) not the data base stuff. I had lots of problems installing the site as step 2 installed the tables but came to a blank screen when filling out the information so I entered the information into my database manually... I also experienced a problem where my 'admin account' after installation wasn't admin until i changed the number in authorprefs...
I can supply more information as needed but I'm just not sure atm what is and isn't sensitive information.
Thank you for any help you may be able to provide,
Regards,
lj007
Sorry about that,
after moving onto something else with the site I have discovered that it is the debugging information but that when I turn it off, it takes a couple of pages and login/logouts before it comes into effect. Well I suppose now anyone else searching for this problem will now know the answer lol π
But still, is dubbing suppose to put the database passwords etc on there?
Thanks and sorry for that again,
lj007
You must have something else running on your site. That's information being put into the $_SESSION variables for your site, and that's NOT being set by eFiction. However, since it's the $_SESSION variable anything running on your site has access to it. That script is the unsecure one. I also edited your original post to remove your sitekey and settings table prefix info. I'd suggest if you're worried about security, you also install using a table prefix.
