%1$s |
';
$error_tpl = '
%s |
%s |
';
$output = '';
$write_check = true;
$check_paths = Array ('/', '/index.php', $this->toolkit->systemConfig->get('WriteablePath', 'Misc') . '/config.php', ADMIN_DIRECTORY . '/index.php');
foreach ($check_paths as $check_path) {
$path_secure = true;
$path_check_status = $this->toolkit->checkWritePermissions(FULL_PATH . $check_path);
if (is_bool($path_check_status) && $path_check_status) {
$write_check = $path_secure = false;
}
$status_text = $path_secure ? '[Secure]' : '[Vulnerable]';
$output .= sprintf($error_tpl, $check_path . (!$path_secure? ' (755 required)' : ''), $status_text);
}
$skip_check = $write_check ? '' : '';
$output = sprintf($heading_tpl, 'Write Permissions Check' . $skip_check, 'text') . $output;
if (!$write_check) {
$output .= '
For security reasons it\'s REQUIRED to set 755 permissions on the above files to prevent from attacks on your website!
|
';
}
// script execute check
if (file_exists(WRITEABLE . '/install_check.php')) {
unlink(WRITEABLE . '/install_check.php');
}
$fp = fopen(WRITEABLE . '/install_check.php', 'w');
fwrite($fp, "Application->recallObject('CurlHelper');
/* @var $curl_helper kCurlHelper */
$result = $curl_helper->Send($this->Application->BaseURL(WRITEBALE_BASE) . 'install_check.php');
unlink(WRITEABLE . '/install_check.php');
$execute_check = ($result !== 'OK');
$output .= sprintf($heading_tpl, 'Ability to Execute PHP in Writable Folders', 'text');
$status_text = $execute_check ? '[Secure]' : '[Vulnerable]';
$output .= sprintf($error_tpl, 'Result of creating and executing PHP file(s) in "/system" (or "/system/images") folder', $status_text);
if (!$execute_check) {
$output .= '
For security reasons it\'s highly recommended disable the access (execution) to PHP files within "/system" folder and it\'s subfolders.
|
You can do this by:
- changing your "httpd.conf" file to deny requests for all "*.php" files
- renaming ".htaccess-sample" (located in "/system") to ".htaccess" so it overrides default Apache settings
Note that "AllowOverride LIMIT" option should be enabled by your hosting provider.
|
';
}
$output .= sprintf($heading_tpl, 'Webserver PHP Configuration', 'text');
$directive_check = true;
$ini_vars = Array ('register_globals' => false, 'open_basedir' => true, 'allow_url_fopen' => false);
foreach ($ini_vars as $var_name => $var_value) {
$current_value = ini_get($var_name);
if (!is_numeric($current_value)) {
$formatted_value = $current_value ? 'On' : 'Off';
}
else {
$formatted_value = "'" . $current_value . "'";
}
if (($var_value && !$current_value) || (!$var_value && $current_value)) {
$directive_check = false;
$message_text = 'set to ' . $formatted_value . '';
$status_text = '[Vulnerable]';
}
else {
$message_text = 'set to ' . $formatted_value . '';
$status_text = '[Secure]';
}
$output .= sprintf($error_tpl, 'Directive: ' . $var_name . ' ' . $message_text, $status_text);
}
/*if (!$directive_check) {
// show additional warning about directives
}*/
echo $output;
?>