Welcome to PHP4IT
Main Menu
· Main Page
· Account Settings
· Forum
· Recommend Us
· Contact

Search


Solutions Categories
· All topics
· Database Import and Conversion with PHP (Feb 07, 2006)
· PHP Security (Mar 28, 2008)
· Printing (Jan 05, 2006)
· Windows PHP Solutions (Apr 04, 2008)


PHP4IT RSS Feed
Add the PHP4IT RSS Feed to your favorite RSS news reader!

   

Securing the Recommend Us feature in PostNuke/PHP Nuke

Posted by: David on Mar 28, 2008 - 04:00 PM
php_security 
I've noticed some oddball email bounces stemming from the Recommend_Us module trying to send email to non-existent email addresses. A lot of them would contain spam words which I won't list here. I came to the conclusion that this is a malicious attack on a PostNuke/PHP Nuke site trying to blacklist the server hosting the site as a source of spam. Therefore I think it is important that if you run a PostNuke or PHPNuke site that you take steps to secure the "Recommend Us" module. Since I am running PostNuke, the solution here is based for that CMS, but the same concepts apply for PHP Nuke.

Basically we want to make sure that a user is logged in before he/she can recommend the site/story from the site.

Here are the steps:

  • head over to your root PostNuke directory, go to modules, and Recommend_Us.

  • Make a backup copy of index.php

  • Edit the file index.php.

  • Look for instances of:


    • if (pnUserLoggedIn()) {

    and in the else portion, put in something like the following:

    die("You must be a member and logged in to send a recommendation.");

    Note that some already have the "else" and some you will have to add yourself.

  • Next I would recommend changing the text input boxes for "Your name" and "Your email" into hidden inputs instead. For instance, change:

    echo "
    <table>
    <tr>
    <td><span class=\"pn-normal\"><label for=\"YOURNAME\">"._FYOURNAME."</label></span></td>
    <td><input type=\"text\" name=\"yname\" value=\"$yn\" SIZE=\"25\" maxlength=\"25\" id=\"YOURNAME\" tabindex=\"0\" /></td>
    </tr>
    <tr>
    <td><span class=\"pn-normal\"><label for=\"YOUREMAIL\">"._FYOUREMAIL."</label></span></td>
    <td><input type=\"text\" name=\"ymail\" value=\"$ye\" size=\"25\" id=\"YOUREMAIL\" tabindex=\"0\" /></td>
    </tr>


    to

    echo "<table>
    <input type=hidden name=\"yname\" value=\"$yn\"> <input type=hidden name=\"ymail\" value=\"$ye\">


    • And voila you have just secured the recommendation feature from anonymous malicious users.

    Securing the Recommend Us feature in PostNuke/PHP Nuke | Log-in or register a new user account | 0 Reviews/Comments
    Reviews and Comments are opinion statements made by the author.
    They do not necessarily represent the opinions of the site editor.