Your Account Extra Layer of Protection

Posted: Sat Dec 22, 2012 1:14 am

Was browsing and studying some of RavenNukes coding and came by this in /modules/Your_Account/includes/constants.php

Code:




if (realpath(__FILE__) == realpath($_SERVER['SCRIPT_FILENAME'])) {


   header('Location: index.php');


   exit('Access Denied');


}


//define('RNYA_DOMAINNAME', 'underground-king.com');


//if (($_SERVER['SERVER_NAME'] != RNYA_DOMAINNAME OR $_SERVER['SERVER_NAME'] != RNYA_DOMAINNAME) AND RNYA_DOMAINNAME != '') {exit();}


define('RNYA', true);


?>

Now I uncommented the define and if, and refreshed my website and I got the white screen of death Laughing

Now what I would like to know, how is this providing any extra protection via Your_Account, and what is causing the white screen?

Posted: Sat Dec 22, 2012 2:12 am

If you are testing this locally, it should produce a white page as the domain does not match, i.e.
define('RNYA_DOMAINNAME', 'localhost');

I tried it on a live site and didn't have any issues, but I don't use www in the url. You could try to echo the value of
echo $_SERVER['SERVER_NAME'];
somewhere (not within that file) as that is what should be defined. It just adds extra security of making sure the module is not somehow being accessed from a remote site (XSS). There are other such protections built-in so I'm not sure it's really necessary. But if you like extra security you should be able to get it working... The white screen is a result of the exit() before any code is rendered, as for some reason the $_SERVER['SERVER_NAME'] and RNYA_DOMAINNAME are not matching for you.

It may be code that was ported/modded from the original CNBYA, but I checked our logs and they don't go back far enough to see the changes to that file; as we lost them a couple years back due to technical issues with our SVN.

Not exactly sure why the OR statement is there because it looks like the same condition twice, but that shouldn't produce a white page.

Posted: Sat Dec 22, 2012 2:27 am

Where would I echo the value?

Posted: Sat Dec 22, 2012 2:54 am

Anywhere html is normally rendered. Doing within that file is too early as the <body> tag is not open yet. I would probably just add to my theme somewhere temporarily. For instance somewhere in themefooter() or themeheader(). I'm guessing the instructions are incorrect and www should be included. Assuming I'm correct, just make sure you are forcing www on your site address or it will casue problems if accessed without. I believe that setting is in sentinel or possibly preferences if not there.

Posted: Sat Dec 22, 2012 6:12 am

Well,

I just added www. to the domain without echoing the value anywhere and now my website loads just fine, guessing that fixed all issues?

Final results:

Code:




if (realpath(__FILE__) == realpath($_SERVER['SCRIPT_FILENAME'])) {


   header('Location: index.php');


   exit('Access Denied');


}


/**


 * enter your domain name here to add an extra layer of protection or leave blank.


 * example shows how to use this with a subdomain


 * define("RNYA_DOMAINNAME", "wwww.yourdomain.com");


 * no www or http just the domain name


 * remove the '//' from the next two lines and insert your domain name for additional security


 * (don't put 'http://' in front of it, your domain name only!


 */





define('RNYA_DOMAINNAME', 'www.underground-king.com');


if (($_SERVER['SERVER_NAME'] != RNYA_DOMAINNAME OR $_SERVER['SERVER_NAME'] != RNYA_DOMAINNAME) AND RNYA_DOMAINNAME != '') {exit();}


define('RNYA', true); 


?>

registered · Posted: Sat Dec 22, 2012 3:43 pm

BTW, I do not recall exactly why that is in there, but I believe it has something to do with our AJAX components in RNYA. So I suspect that it is trying to reduce chances to exploit that. But, I hadn't looked at it in a very long time. I believe kguske did the most work on RNYA when AJAX was introduced.

Posted: Sat Dec 22, 2012 5:30 pm

If anyone else gets into trying this make sure you either have Force Nuke URL: Yes in NukeSentinel or use other methods to make sure your site cannot be accessed both with and without www. (.htaccess has methods for this too, which can be found on Google)