Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow renaming of admin folder for better security. #369 #391

Open
wants to merge 2 commits into
base: dev
Choose a base branch
from
Open

Allow renaming of admin folder for better security. #369 #391

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7f1c1eb
changed all refs to /admin to use 'ADMIN' constant
Jan 16, 2016
36f667f
admin folder rename fixes to include edge case with upgrading website…
Jan 16, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 10 additions & 2 deletions admin/index.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,10 +11,18 @@
* file that was distributed with this source code.
*/

/**
* Define __DIR__ constant for PHP 5.2.x
*/
if ( ! defined('__DIR__')) {
define('__DIR__', dirname(__FILE__));
}


// Main engine defines
define('DS', DIRECTORY_SEPARATOR);
define('ROOT', rtrim(str_replace(array('admin'), array(''), dirname(__FILE__)), '\\/'));
define('ROOT', rtrim(dirname(__DIR__), '\\/')); // eg '/home/user/public_html'
define('ADMIN', basename(__DIR__)); // eg 'admin'
define('BACKEND', true);
define('MONSTRA_ACCESS', true);

Expand Down Expand Up @@ -131,7 +139,7 @@
Notification::set('reset_password', 'reset_password');

// Redirect to password-reset page
Request::redirect(Site::url().'/admin');
Request::redirect(Site::url().'/'.ADMIN.'');
}

Notification::setNow('reset_password', 'reset_password');
Expand Down
12 changes: 6 additions & 6 deletions admin/themes/default/index.template.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@
<?php Stylesheet::add('public/assets/css/chocolat.css', 'backend', 2); ?>
<?php Stylesheet::add('public/assets/css/bootstrap-fileupload.css', 'backend', 3); ?>
<?php Stylesheet::add('public/assets/css/icheck-blue.css', 'backend', 4); ?>
<?php Stylesheet::add('admin/themes/default/css/default.css', 'backend', 5); ?>
<?php Stylesheet::add(ADMIN.'/themes/default/css/default.css', 'backend', 5); ?>
<?php Stylesheet::load(); ?>

<!-- JavaScripts -->
Expand All @@ -31,7 +31,7 @@
<script src="<?php echo Site::url(); ?>/public/assets/js/icheck.min.js"></script>
<?php Javascript::add('public/assets/js/jquery.chocolat.js', 'backend', 3); ?>
<?php Javascript::add('public/assets/js/bootstrap-fileupload.js', 'backend', 4); ?>
<?php Javascript::add('admin/themes/default/js/default.js', 'backend', 5); ?>
<?php Javascript::add(ADMIN.'/themes/default/js/default.js', 'backend', 5); ?>
<?php Javascript::load(); ?>

<?php Action::run('admin_header'); ?>
Expand Down Expand Up @@ -74,12 +74,12 @@
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="navbar-brand" href="<?php echo Site::url(); ?>/admin/index.php?id=dashboard">MONSTRA</a>
<a class="navbar-brand" href="<?php echo Site::url().'/'.ADMIN; ?>/index.php?id=dashboard">MONSTRA</a>
</div>

<div class="collapse navbar-collapse" id="bs-example-navbar-collapse-1">
<ul class="nav navbar-nav">
<li<?php if (Request::get('id') == 'dashboard') { ?> class="active"<?php } ?>><a href="<?php echo Site::url(); ?>/admin/index.php?id=dashboard"><?php echo __('Dashboard', 'dashboard'); ?></a></li>
<li<?php if (Request::get('id') == 'dashboard') { ?> class="active"<?php } ?>><a href="<?php echo Site::url().'/'.ADMIN; ?>/index.php?id=dashboard"><?php echo __('Dashboard', 'dashboard'); ?></a></li>
<li class="dropdown">
<a href="#" class="dropdown-toggle" data-toggle="dropdown"><?php echo __('Content', 'pages'); ?> <b class="caret"></b></a>
<ul class="dropdown-menu">
Expand Down Expand Up @@ -117,8 +117,8 @@
<li class="dropdown">
<a href="#" class="dropdown-toggle" data-toggle="dropdown"><?php echo Session::get('user_login'); ?> <img src="<?php echo Users::getGravatarURL(Session::get('user_email'), 28); ?>" alt=""> <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="<?php echo Site::url(); ?>/admin/index.php?id=users&action=edit&user_id=<?php echo Session::get('user_id'); ?>"><?php echo __('Profile', 'users')?></a></li>
<li><a href="<?php echo Site::url(); ?>/admin/?logout=do"><?php echo __('Log Out', 'users'); ?></a></li>
<li><a href="<?php echo Site::url().'/'.ADMIN; ?>/index.php?id=users&action=edit&user_id=<?php echo Session::get('user_id'); ?>"><?php echo __('Profile', 'users')?></a></li>
<li><a href="<?php echo Site::url().'/'.ADMIN; ?>/?logout=do"><?php echo __('Log Out', 'users'); ?></a></li>
</ul>
</li>
</ul>
Expand Down
6 changes: 3 additions & 3 deletions admin/themes/default/login.template.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
<link rel="stylesheet" href="<?php echo Site::url(); ?>/public/assets/css/messenger-theme-flat.css" type="text/css" />
<?php Stylesheet::add('public/assets/css/bootstrap-lightbox.css', 'backend', 2); ?>
<?php Stylesheet::add('public/assets/css/bootstrap-fileupload.css', 'backend', 3); ?>
<?php Stylesheet::add('admin/themes/default/css/default.css', 'backend', 5); ?>
<?php Stylesheet::add(ADMIN.'/themes/default/css/default.css', 'backend', 5); ?>
<?php Stylesheet::load(); ?>

<!-- JavaScripts -->
Expand All @@ -24,7 +24,7 @@
<script src="<?php echo Site::url(); ?>/public/assets/js/messenger-theme-flat.js"></script>
<?php Javascript::add('public/assets/js/bootstrap-lightbox.js', 'backend', 3); ?>
<?php Javascript::add('public/assets/js/bootstrap-fileupload.js', 'backend', 4); ?>
<?php Javascript::add('admin/themes/default/js/default.js', 'backend', 5); ?>
<?php Javascript::add(ADMIN.'/themes/default/js/default.js', 'backend', 5); ?>
<?php Javascript::load(); ?>

<script type="text/javascript">
Expand Down Expand Up @@ -68,7 +68,7 @@

<div class="container form-signin">

<div class="text-center"><a class="brand" href="<?php echo Option::get('siteurl'); ?>/admin"><img src="<?php echo Option::get('siteurl'); ?>/public/assets/img/monstra-logo-256px.png" alt="monstra" /></a></div>
<div class="text-center"><a class="brand" href="<?php echo Option::get('siteurl').'/'.ADMIN; ?>"><img src="<?php echo Option::get('siteurl'); ?>/public/assets/img/monstra-logo-256px.png" alt="monstra" /></a></div>
<div class="administration-area well">
<div>
<form method="post">
Expand Down
4 changes: 3 additions & 1 deletion boot/defines.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,9 @@
/**
* The filesystem path to the admin 'themes' folder
*/
define('THEMES_ADMIN', ROOT . DS . 'admin' . DS . 'themes');
if (!defined('ADMIN'))
define('ADMIN', 'admin'); // change this if you use the members area in the front website
define('THEMES_ADMIN', ROOT . DS . ADMIN . DS . 'themes');

/**
* The filesystem path to the 'plugins' folder
Expand Down
5 changes: 5 additions & 0 deletions engine/Monstra.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -263,6 +263,11 @@ protected static function loadDefines()
} else {
throw new RuntimeException("The defines file does not exist.");
}

// a last gasp catch-all to ensure that any front-end systems won't cause an exception, but will simply fail to use the correct URL
// (This is normally in defines.php)
if (!defined('ADMIN'))
define('ADMIN', 'admin');
}

/**
Expand Down
2 changes: 1 addition & 1 deletion engine/Plugin/Stylesheet.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -139,7 +139,7 @@ public static function parseVariables($frontend_buffer)
'@theme_admin_url'),
array(Option::get('siteurl'),
Option::get('siteurl').'/public/themes/'.Option::get('theme_site_name'),
Option::get('siteurl').'/admin/themes/'.Option::get('theme_admin_name')),
Option::get('siteurl').'/'.ADMIN.'/themes/'.Option::get('theme_admin_name')),
$frontend_buffer);
}

Expand Down
2 changes: 1 addition & 1 deletion install.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -168,7 +168,7 @@
<link rel="icon" href="<?php echo $site_url; ?>/favicon.ico" type="image/x-icon" />
<link rel="shortcut icon" href="<?php echo $site_url; ?>/favicon.ico" type="image/x-icon" />
<link rel="stylesheet" href="<?php echo $site_url; ?>/public/assets/css/bootstrap.css" media="all" type="text/css" />
<link rel="stylesheet" href="<?php echo $site_url; ?>/admin/themes/default/css/default.css" media="all" type="text/css" />
<link rel="stylesheet" href="<?php echo $site_url.'/'.ADMIN; ?>/themes/default/css/default.css" media="all" type="text/css" />

<style>

Expand Down
6 changes: 3 additions & 3 deletions plugins/box/backup/backup.admin.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ public static function main()
Notification::set('error', __('Backup was not created', 'backup'));
}

Request::redirect(Option::get('siteurl').'/admin/index.php?id=backup');
Request::redirect(Option::get('siteurl').'/'.ADMIN.'/index.php?id=backup');

} else { die('Request was denied because it contained an invalid security token. Please refresh the page and try again.'); }
}
Expand All @@ -58,7 +58,7 @@ public static function main()
Notification::set('error', __('Backup was not deleted', 'backup'));
}

Request::redirect(Option::get('siteurl').'/admin/index.php?id=backup');
Request::redirect(Option::get('siteurl').'/'.ADMIN.'/index.php?id=backup');

} else { die('Request was denied because it contained an invalid security token. Please refresh the page and try again.'); }
}
Expand Down Expand Up @@ -91,7 +91,7 @@ public static function main()
Notification::set('error', __('Backup was not restored', 'backup'));
}

Request::redirect(Option::get('siteurl').'/admin/index.php?id=backup');
Request::redirect(Option::get('siteurl').'/'.ADMIN.'/index.php?id=backup');

} else { die('Request was denied because it contained an invalid security token. Please refresh the page and try again.'); }
}
Expand Down
2 changes: 1 addition & 1 deletion plugins/box/backup/views/backend/index.view.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@
<tr>
<td>
<?php $name = strtotime(str_replace('-', '', basename($backup, '.zip'))); ?>
<?php echo Html::anchor(Date::format($name, 'F jS, Y - g:i A'), Option::get('siteurl').'/admin/index.php?id=backup&download='.$backup.'&token='.Security::token()); ?>
<?php echo Html::anchor(Date::format($name, 'F jS, Y - g:i A'), Option::get('siteurl').'/'.ADMIN.'/index.php?id=backup&download='.$backup.'&token='.Security::token()); ?>
</td>
<td class="visible-lg hidden-xs"><?php echo Number::byteFormat(filesize(ROOT . DS . 'backups' . DS . $backup)); ?></td>
<td>
Expand Down
24 changes: 12 additions & 12 deletions plugins/box/filesmanager/filesmanager.admin.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,25 +36,25 @@ public static function main()
// Add slash if not exists
if (substr($path, -1, 1) != '/') {
$path .= '/';
Request::redirect($site_url.'/admin/index.php?id=filesmanager&path='.$path);
Request::redirect($site_url.'/'.ADMIN.'/index.php?id=filesmanager&path='.$path);
}

// Upload corectly!
if ($path == 'uploads' || $path == 'uploads//') {
$path = 'uploads/';
Request::redirect($site_url.'/admin/index.php?id=filesmanager&path='.$path);
Request::redirect($site_url.'/'.ADMIN.'/index.php?id=filesmanager&path='.$path);
}

// Only 'uploads' folder!
if (strpos($path, 'uploads') === false) {
$path = 'uploads/';
Request::redirect($site_url.'/admin/index.php?id=filesmanager&path='.$path);
Request::redirect($site_url.'/'.ADMIN.'/index.php?id=filesmanager&path='.$path);
}

// Set default path value if path is empty
if ($path == '') {
$path = 'uploads/';
Request::redirect($site_url.'/admin/index.php?id=filesmanager&path='.$path);
Request::redirect($site_url.'/'.ADMIN.'/index.php?id=filesmanager&path='.$path);
}

$files_path = ROOT . DS . 'public' . DS . $path;
Expand All @@ -73,7 +73,7 @@ public static function main()
} else {
Notification::set('error', __('File was not deleted', 'filesmanager'));
}
Request::redirect($site_url.'/admin/index.php?id=filesmanager&path='.$path);
Request::redirect($site_url.'/'.ADMIN.'/index.php?id=filesmanager&path='.$path);

} else { die('Request was denied because it contained an invalid security token. Please refresh the page and try again.'); }
}
Expand All @@ -92,7 +92,7 @@ public static function main()
Notification::set('error', __('Directory was not deleted', 'filesmanager'));
}

Request::redirect($site_url.'/admin/index.php?id=filesmanager&path='.$path);
Request::redirect($site_url.'/'.ADMIN.'/index.php?id=filesmanager&path='.$path);


} else { die('Request was denied because it contained an invalid security token. Please refresh the page and try again.'); }
Expand All @@ -111,20 +111,20 @@ public static function main()

if (empty($rename_to)) {
Notification::set('error', __('Can not be empty', 'filesmanager'));
Request::redirect($site_url.'/admin/index.php?id=filesmanager&path='.$path);
Request::redirect($site_url.'/'.ADMIN.'/index.php?id=filesmanager&path='.$path);
}

$ext = ($rename_type === 'file') ? '.'. File::ext($rename_from) : '';
$rename_to = $files_path . Security::safeName($rename_to, null, false).$ext;

if (is_dir($rename_to)) {
Notification::set('error', __('Directory exists', 'filesmanager'));
Request::redirect($site_url.'/admin/index.php?id=filesmanager&path='.$path);
Request::redirect($site_url.'/'.ADMIN.'/index.php?id=filesmanager&path='.$path);
}

if (is_file($rename_to)) {
Notification::set('error', __('File exists', 'filesmanager'));
Request::redirect($site_url.'/admin/index.php?id=filesmanager&path='.$path);
Request::redirect($site_url.'/'.ADMIN.'/index.php?id=filesmanager&path='.$path);
}

$success = rename($files_path.$rename_from, $rename_to);
Expand All @@ -134,7 +134,7 @@ public static function main()
} else {
Notification::set('error', __('Failure', 'filesmanager'));
}
Request::redirect($site_url.'/admin/index.php?id=filesmanager&path='.$path);
Request::redirect($site_url.'/'.ADMIN.'/index.php?id=filesmanager&path='.$path);

} else { die('Request was denied because it contained an invalid security token. Please refresh the page and try again.'); }
}
Expand Down Expand Up @@ -169,7 +169,7 @@ public static function main()
if (Request::post('dragndrop')) {
Request::shutdown();
} else {
Request::redirect($site_url.'/admin/index.php?id=filesmanager&path='.$path);
Request::redirect($site_url.'/'.ADMIN.'/index.php?id=filesmanager&path='.$path);
}
} else { die('Request was denied because it contained an invalid security token. Please refresh the page and try again.'); }
}
Expand Down Expand Up @@ -239,7 +239,7 @@ public static function main()
->assign('upload_max_filesize', FilesmanagerAdmin::uploadSize())
->assign('files_path', $files_path)
->assign('fileuploader', array(
'uploadUrl' => $site_url.'/admin/index.php?id=filesmanager&path='.$path,
'uploadUrl' => $site_url.'/'.ADMIN.'/index.php?id=filesmanager&path='.$path,
'csrf' => Security::token(),
'errorMsg' => __('Upload server error', 'filesmanager')
))->display();
Expand Down
17 changes: 15 additions & 2 deletions plugins/box/information/views/backend/index.view.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -121,8 +121,8 @@
<td><?php if (Dir::writable(PLUGINS)) { ?><span class="badge badge-success"><?php echo __('Writable', 'information'); ?></span><?php } else { ?><span class="badge badge-error"><?php echo __('Unwritable', 'information'); ?></span><?php } ?></td>
</tr>
<tr>
<td><?php echo ROOT . DS . 'admin' ?></td>
<td><?php if (Dir::writable(ROOT . DS . 'admin')) { ?><span class="badge badge-success"><?php echo __('Writable', 'information'); ?></span><?php } else { ?><span class="badge badge-error"><?php echo __('Unwritable', 'information'); ?></span><?php } ?></td>
<td><?php echo ROOT . DS . ADMIN ?></td>
<td><?php if (Dir::writable(ROOT . DS . ADMIN)) { ?><span class="badge badge-success"><?php echo __('Writable', 'information'); ?></span><?php } else { ?><span class="badge badge-error"><?php echo __('Unwritable', 'information'); ?></span><?php } ?></td>
</tr>
</tbody>
</table>
Expand Down Expand Up @@ -152,6 +152,19 @@
<td><?php echo __('The Monstra index.php file has been found to be writable. We would advise you to remove all write permissions. <br>You can do this on unix systems with: <code>chmod a-w :path</code>', 'information', array(':path' => ROOT . DS . 'index.php')); ?></td>
</tr>
<?php } ?>
<?php if (Dir::exists(ROOT . DS . 'admin')) {
$new_admin = 'admin' . bin2hex(openssl_random_pseudo_bytes(2));
?>
<tr>
<td><span class="badge badge-error" style="padding-left:5px; padding-right:5px;"><b>!</b></span> </td>
<td><?php echo __('The Monstra admin folder should be renamed to something else. We suggest <code>:name</code> or something memorable.<br>You can rename the folder on unix systems with: <code>mv :pathadmin :path:name</code> <br> You will then access this admin website via <code>:url</code><br><br>You may also need to update <code>:defines</code> by adding <code>:newdefine</code>, particularly if you have a members area.', 'information',
array(':path' => ROOT . DS,
':name' => $new_admin,
':url' => Option::get('siteurl').'/'.$new_admin,
':defines' => ROOT . DS . 'boot' . DS . 'defines.php',
':newdefine' => 'if (!defined(\'ADMIN\')) define(\'ADMIN\', \''.$new_admin.'\');')); ?></td>
</tr>
<?php } ?>
<?php if (Monstra::$environment == Monstra::DEVELOPMENT) { ?>
<tr>
<td><span class="badge badge-warning" style="padding-left:5px; padding-right:5px;"><b>!</b></span> </td>
Expand Down
2 changes: 1 addition & 1 deletion plugins/box/pages/views/backend/index.view.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -109,5 +109,5 @@
</div>

<form>
<input type="hidden" name="url" value="<?php echo Option::get('siteurl'); ?>/admin/index.php?id=pages">
<input type="hidden" name="url" value="<?php echo Option::get('siteurl').'/'.ADMIN; ?>/index.php?id=pages">
</form>
4 changes: 2 additions & 2 deletions plugins/box/plugins/plugins.admin.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -174,7 +174,7 @@ public static function main()
if (Request::post('dragndrop')) {
Request::shutdown();
} else {
Request::redirect($site_url.'/admin/index.php?id=plugins#installnew');
Request::redirect($site_url.'/'.ADMIN.'/index.php?id=plugins#installnew');
}
} else { die('Request was denied because it contained an invalid security token. Please refresh the page and try again.'); }
}
Expand Down Expand Up @@ -219,7 +219,7 @@ public static function main()
->assign('plugins_to_intall', $plugins_to_intall)
->assign('_users_plugins', $_users_plugins)
->assign('fileuploader', array(
'uploadUrl' => $site_url.'/admin/index.php?id=plugins',
'uploadUrl' => $site_url.'/'.ADMIN.'/index.php?id=plugins',
'csrf' => Security::token(),
'errorMsg' => __('Upload server error', 'filesmanager')
))
Expand Down
2 changes: 1 addition & 1 deletion plugins/box/plugins/views/backend/index.view.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -152,7 +152,7 @@
$.ajax({
type:"post",
data:"readme_plugin="+$(this).attr('readme_plugin'),
url: "<?php echo Site::url(); ?>/admin/index.php?id=plugins",
url: "<?php echo Site::url().'/'.ADMIN; ?>/index.php?id=plugins",
success: function(data){
$('#readme .modal-body').html(data);
}
Expand Down
Loading