Let me start by saying I am not really a full-stack developer and this is out of my scope of understanding. I have tried searching for an answer but I can't find anything relevant. If you have any reasons to share they would be much appreciated!
I am working on a website running on coldfusion and framework one. I've been instructed to make a single specific page accessible without authentication. I know this might seem like a bad idea, security wise I have no idea how dangerous this really is but it doesn't seem great. Regardless, those are my instructions.
Where would I even do something like this? Is there some sort of "authenticator" action that I can disable? When visiting a page on the domain while logged out the user is just redirected to the initial login page. Perhaps I can disable this redirect? I've looked in the relevant controller and view pages for the area of the site I'm working on but I can't find anything and it's hard for me to google without much knowledge on the topic to begin with. Any help is greatly appreciated.
Since you state that you don't have experience with ColdFusion this answer is kept simple and does not try to explain how ColdFusion applications work or what an Application scope is in ColdFusion.
create a sub-folder within your original application folder
create your non-secure page within this new sub-folder
create another page under the same sub-folder named Application.cfm with the following code (it's just a comment, it's an empty page but it will prevent the code that re-directs to login to execute)
code for Application.cfm
<!--- // this folder is not secure --->
If this does not work for you because you need access to stuff that is part of the secured application, let me know and I'll update my answer but will get a bit more complex like you'll need to find out where the redirection to login takes place and you'll need to understand what you're doing in ColdFusion.
Related
New to Web site dev, though have done a lot of coding of other sorts in the past, just set up a personal blog for my own amusement on bluehost using wordpress and have it installed locally for dev.
I have a training log on another site which anyone can open read-only to view training stats with a URL of the form below, this works fine in a browser:
https://www.othersite.com/logs/1234xyz/authenticate?password=thisismypassword
What I have tried to do unsuccessfully is have this open in a frame on one of my web pages (used iframe/object in html). It seems impossible to do this as the authentication string is not passed across, and the screen displayed prompts for manual input of the password. Can I open this automatically in some way?
If I understood well, your solution is insecure regardless it works or not. In this way your clients can see the password of your (or another) site.
I suggest to query the external content using custom php code and display (print) it on your page.
There are several ways to get content of an external page:
https://www.php.net/manual/en/function.stream-context-create.php
https://www.php.net/manual/en/function.curl-init.php
If you need a tutorial for WP plugins check this out:
https://www.wpbeginner.com/wp-tutorials/how-to-create-a-wordpress-plugin/
The SEO "guru" at my job has asked me to find out if it'd be possible to implement some sort of .htaccess magic that would make all external links on our CMS pop out of the browser and open in a different tab/window.
Is this even remotely possible? I know it could be done with JS but it'd be a pretty complicated task to modify all pages/content on our site to make it happen.
Any and all help will be appreciated!
Pretty sure that isn't possible via htaccess.
However, unless it is a weirdly coded CMS, then it should not be the complicated task you think.
A CMS will usually be built so that the content and template are in separate places, which should mean that you probably only need to update a single file in order to add code to the head of every page on the site, which could be a javascript to modify external links. You should not have to touch the content.
Likewise, many CMSs will use a plug-in system allowing you to do this easily enough.
Also: A CMS will usually store content in a database, so a good database query could also replace all the links in one go.
Can't see how this could possibly help with SEO, mind!
Right I'll try and explain my situation as thoroughly as possible while also keeping it brief...
I'm just starting out as a web designer/developer, so I bought the unlimited hosting package with 123-reg. I set up a couple of websites, my main domain being designedbyross.co.uk. I have learnt how to map other domains to a folder within this directory. At the minute, one of my domains, scene63.com is mapped to designedbyross.co.uk/blog63 which is working fine for the home page. However when clicking on another link on scene63.com for example page 2, the URL changes to designedbyross.co.uk/blog63/page2...
I have been advised from someone at 123-reg that I need to write a .htaccess file and use the RewriteBase directive (whatever that is?!) I have looked on a few websites to try and help me understand this, including http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html however it all isn't making much sense at the moment.
Finally, scene63.com is a wordpress site, whether that makes any difference to how the htaccess file is structured I'm not sure...
Any help will be REALLY appreciated - Thanks.
I run my personal public website on Webfusion, which is another branded service offering by the same company on the same infrastructure, and my blog contains a bunch of articles (tagged Webfusion) on how to do this. You really need to do some reading and research -- the Apache docs, articles and HowTos like mine -- to help you get started and then come back with specific Qs, plus the supporting info that we need to answer them.
It sounds like you are using a 123 redirector service, or equivalent for scene63.com which hides the redirection in an iframe. The issue here is that if the links on your site use site-relative links then because the URI has been redirected to http://designedbyross.co.uk/blog6/... then any new pages will be homed in designedbyross.co.uk. (I had the same problem with my wife's business site which mapped the same way to one of my subdirectories).
What you need to do is to configure the blog so that its site base is http://scene63.com/ and to force explicit site-based links so that any hrefs in the pages are of the form http://scene63.com/page2, etc. How you do this depends on the blog engine, but most support this as an option.
It turned out to be a 123-reg problem at the time not correctly applying changes to the DNS.
We have our application stored on our server, it is an .exe file. The download page is only accessible from our site - using cookie authentication in PHP. I know there are better methods but there is a long story behind this...so I'm moving on. The issue is that the actual url of the .exe has been leaked and is appearing on other websites. What is the best method to protect a link to a file, not the page itself. That is where I'm having issues. I can make it difficult to get to the download page (with the link) but don't know where to begin to make sure the link is only accessible from our site... Is .htaccess (preventing hotlinking) the best way to go?
Yes, .htaccess is probably best. Find any online post about protecting images from hotlinking, the first in my google search looks like a nice and easy auto-generator you can use. Just change the image extensions to exe, or keep them if you want them protected too.
A couple sites of mine recently got "hacked". Someone was able to add a line of JavaScript to the bottom of every page on the site.
The server is a Windows Server 2003, and has Cold Fusion 8 and MySQL 5.x installed and running.
Looking into the code on each page shows that none of the pages were modified. The JavaScript is not in the code files themselves. This leads me to believe it is an IIS problem, but I am unsure and cannot find anything that would be able to do this within IIS.
The JavaScript being added redirects a user to another page only when they come from Google, or at least it appears to work this way.
Any help on how someone was able to accomplish this as well as removing it would be greatly appreciated.
Another way to word the question thanks to #Jeffrey Hantin
How do you systematically modify output from IIS without modifying individual pages?
EDIT: A bit more testing has shown that only the .cfm pages add the extra javascript. Added a new .cfm and the js was there but a .html did not have it.
Edit2: Turns out to have been a coldfusion problem after all. Somehow the pages OnRequestEnd.cfm were created on the sites and added that js.
Looks like someone exploited some latest Adobe CF vulnerabilities.
Please see these blog posts for details and try to search symptoms on your server:
Image upload
FCKEditor bug + this post
Hope this helps.
Turns out to have been a coldfusion problem after all. The page OnRequestEnd.cfm were created on the sites and added that js.
If you only want to use IIS to modify output, the ISAPI filter is probably the best answer. If you would like to use Coldfusion, you could utilize the application.cfc to modify output during certain parts of the request cycle or wrap all of your pages in a Custom Tag to consolidate the like portions of your page templates.
I have used both. In cases where my page headers and footers are all the same, the custom tag is fast and easy to use. To make changes to all the pages, you edit one custom tag file. In cases where I have a more complicated web application I'll use the application.cfc to store and insert common components where they are needed.
They might have guessed your password. You should change it immediately.
It's possible that an ISAPI filter is used to do this. I once used one myself to perform compression before IIS supported it natively.
In your specific situation, you may want to check for ISAPI filters you don't want installed. Of course, if your server has been compromised, you will likely be better off rebuilding from a known good image rather than trying to fix it in situ.