Open Script Solution» avoid

How to Avoid Error Message When Your Visitor Trying to Display Your Atahualpa 3.5.1 Theme Directory in WordPress

Masino Sinaga — Wed, 07 Jul 2010 02:49:19 +0000

Today I found something that annoying me when I tried to test the security hole by displaying the theme directory for one of my website that using Atahualpa theme version 3.5.1. Some error messages appeared when I tried to access such address: h++p://www.mydomain.com/wp-content/themes/atahualpa351/ . This error message caused by the using of unknown TEMPLATEPATH constant if this file accessed directly without from the index of the website itself. So, here is the modification I created to display “Access denied” message instead of error message that displaying the path of the theme directory in my web server.

Open your wp-content/themes/{youratahualpadirectoryname}/index.php file, and find this code:

3	include (TEMPLATEPATH . '/functions/bfa_get_options.php');

before that line of code, please insert this following code:

2
3
4

if ( !file_exists(TEMPLATEPATH . '/functions/bfa_get_options.php') ) {
  die('Sorry, access denied for displaying this directory!');
}

then save the changes.

That’s it! Now you should see the better error message than before if your visitor trying to display your theme directory.

How to Avoid Duplicate Ticket Content Saved in HESK v2.1

Masino Sinaga — Wed, 16 Dec 2009 16:51:12 +0000

Actually, this modification I created was being intended for a friend of mine who implemented HESK for his department. I was interested with its interface, so I tried to create a new ticket and tested after submitting the ticket, I reload the “thank-you” page. In fact, a new ticket then would be created, the same condition that occured in osTicket, which I have created the modification regarding it to fix the same problem.

Open your submit_ticket.php file, and find this code:

192	hesk_dbConnect();

then after that line, please insert this following code:

/* MOD: Avoid duplicate ticket (identified by its Subject & Message) */
/* modified by Masino Sinaga, November 30, 2009 */
$sqlcek = "SELECT `subject`,`message` FROM `".hesk_dbEscape($hesk_settings['db_pfix'])."tickets` 
        WHERE `subject`='".hesk_dbEscape($subject)."' AND `message`='".hesk_dbEscape($message)."'";
$rescek = hesk_dbQuery($sqlcek);
if (hesk_dbNumRows($rescek) > 0) {
    //header('Location: index.php?a=add');
    header('Location: sorry.php');
    echo "This ticket content already exists in database!";
    exit();	
}
/* MOD: Avoid duplicate ticket (identified by its Subject & Message) */

Create a new php file, and name it with sorry.php, copy and paste this code below, and put this file to your HESK’s root directory:


 
/* Created by Masino Sinaga, http://www.openscriptsolution.com, November 30, 2009 */
 
define('IN_SCRIPT',1);
define('HESK_PATH','');
 
/* Get all the required files and functions */
require(HESK_PATH . 'hesk_settings.inc.php');
require(HESK_PATH . 'inc/common.inc.php');
 
/* Print header */
require_once(HESK_PATH . 'inc/header.inc.php');
?>
 



 hesk_showTopBar($hesklang['invalid_action']); ?>



 


 echo $hesk_settings['site_url']; ?>" class="smaller"> echo $hesk_settings['site_title']; ?> >
 echo $hesk_settings['hesk_url']; ?>" class="smaller"> echo $hesk_settings['hesk_title']; ?>
>  echo $hesklang['invalid_action']; ?>

echo "Sorry, the ticket you have just sent already exists in our database."; ?>

echo $hesk_settings['hesk_url']; ?>"> echo $hesk_settings['hesk_title']; ?>

require_once(HESK_PATH . 'inc/footer.inc.php'); exit();

How to Avoid Duplicate Message from Client Saved in osTicket v1.6 RC5

Masino Sinaga — Sun, 20 Sep 2009 15:01:36 +0000

Actually, this modification is similar with another one that I made here: How to Avoid Duplicate Ticket Content in osTicket System. After client post message (reply) to his/her ticket that has been created before, then client reload/refresh that next page, the duplicate message will be saved in database. This modification will avoid that duplicate message saved in database of your osTicket System.

Open \include\class.ticket.php file, and find this code:

    //Insert message from client
    function postMessage($msg,$source='',$msgid=NULL,$headers='',$newticket=false){
        global $cfg;
 
        if(!$this->getId())
            return 0;

after the last line of the code above, add this following code:

        // Begin of MOD Avoid Duplicate Message from Client Saved in Database
        // Added by Masino Sinaga, May 4, 2009
        $sql1='SELECT ticket_id, message FROM '.TICKET_MESSAGE_TABLE.' 
         WHERE ticket_id='.db_input($this->getId()).'
         AND message='.db_input(Format::striptags($msg)).'';
        $res1=db_query($sql1);                
        if( ($res1 && db_num_rows($res1)) ) {
          return 0;
        }
        // End of MOD Avoid Duplicate Message from Client Saved in Database
        // Added by Masino Sinaga, May 4, 2009

Open tickets.php file, and find this code:

69	$errors['err']='Unable to post the message. Try again';

replace with this following code:

69	$errors['err']='Unable to post the message. Make sure the message you will send never sent before. Try again';

Have a nice code!

Three Methods to Avoid Directory-Listing in WordPress

Masino Sinaga — Thu, 10 Sep 2009 03:13:00 +0000

In WordPress, almost plugins that I have used, do not include the index.html or index.php file inside its directory. As default, up to WordPress version 2.8.4, there is no protection to prevent or to avoid directory listing the first time you access your website after you install your WordPress. Thus, you or even your visitor can type such as http://www.yourdomain.com/wp-content/plugins/akismet/ then, voila… you or they can see the directory list which has the files inside that /akismet/ sub directory. You should take care about this early. Otherwise, if your visitor know about the weakness of your plugins that you currently use, they can exploit the bugs and hack your website easily. To avoid this happened, there are three methods that you can do how to avoid the directory list in your WordPress.

The first method, you can create a blank file with name index.html and then put this file to each of your plugin sub directory. With this method, each time your visitor type such that address above, then they will see a white blank page. This method is not efficient, since you have to put this index.html file to all of your plugin sub directory. Also, you have to be careful before you copy this file to all of your plugins directory. Because, if one of your plugins sub directory has the index.html or index.php file, then you can make a new problem since the existing index.html or index.php file is the part of that plugin’s script.

The second method, similarly with the first method above, you can create a file with name index.html and then copy the following code to this file:
1 2 3 4 5 6 7 8 9
This is your website title
Afterwards, put this file to all of your plugins sub directory. By using this method, each time your visitor trying to view your plugin sub directory, then they will be redirected to your website home page in two seconds. You can change how long your visitor will wait before being redirected to the home page, by changing the 2 value after meta content tag above. This method also has the weakness, since you have to put this file to all of your plugins sub directory, and you have to be careful for the reason as I mentioned at the first method above about the existing index.html or index.php file in your plugins sub directory.
The third method, is by using or optimizing (if already exist) the .htaccess file in your root website directory. Simply put this code at the top of your .htaccess file:
1 2
# Avoid directory list Options -Indexes
This method is the simpliest way of all three methods that we are talking about. Why? Because you only need to handle once from the .htaccess file. Afterwards, all of your sub directories under your root will be protected automatically. So, you don’t have to handle in each of your plugin sub directory anymore.

The first and the second methods above are necessary if you want to handle with different ways for each of your plugin when your visitor trying to view your directory list. For example, you want to display the certain message for plugin A that different for plugin B, and so on, before they got redirecting automatically using the second method.