Could use a time saver here

[boionfire81]

Script URL: /support
Version of script: 2.8.0
Hosting company: godaddy
URL of phpinfo.php: n/a
URL of session_test.php: *
What terms did you try when SEARCHING for a solution:

Write your message below:

I'm looking for a list of all http:// urls that are accessed directly to browser. It's a minor security addon and I need the full list if possible.

I'm assuming none of the files in the language folder or inc folder are directly accessible via the browser url.

[Klemen]

Any file can be opened in the browser, but only those in the main folder and in the "admin" folder will be run (the rest will forcefully die). I don't have a list of them all.

If you want to protect access to certain files/folder use for example .htaccess in Apache (Google how to restrict access to files/folders on the server software you use).

Also worth reading: https://www.hesk.com/knowledgebase/?article=82

[boionfire81]

Right, but by using:

Code: Select all

if(strpos($_SERVER['PHP_SELF'],"change_status.php")!==false){die('This file can not be accessed directly.');}

helps with xss

[Klemen]

Sorry, but I don't see how that would help?

To prevent XSS, the input data must be sanitized. Hesk does that.

To prevent actions via direct browser access (CSRF for example), tokens are used by Hesk.

If you have any proof of concept that could lead to an exploit in Hesk please feel free to contact me via a private message.

[boionfire81]

direct browser access comes though the url and passed through your sql
But what about clickjacking? Completely bypasses ip bans

[boionfire81]

I have a ton of recommendations for security of the script. But during all of this.....I still have my own work to do...so it helps when someone knows the file location

[Klemen]

Anything that passes through SQL is sanitized first. There are no known XSS vulnerabilities in HESK.

To prevent click-jacking, HESK sends the X-Frame-Options: SAMEORIGIN HTTP header.

Like said, if you have any proof of concept please do send it to me. I am happy to pay bounties (and have already done so in the past) for responsible security disclosure. A valid proof of concept is required for the bounty, just generic suggestions are not eligible.

[Klemen]

Just to clarify, I only pay bounties for medium/high threat vulnerabilities with proof of concepts.

A few valid examples for a bounty would include:

- XSS
- SQL injection
- remote code execution
- authentication/authorization bypass
and things of similar nature.

Generic recommendations (things like entering the old password before changing it, adding mime "nosniff" headers and similar) will not be eligible for a bounty, even if considered good practice.

[boionfire81]

hey..great! But doesn't answer the question.

[Klemen]

The one answered in my first reply or some other specific question?

[boionfire81]

Any file can be opened in the browser, but only those in the main folder and in the "admin" folder will be run (the rest will forcefully die). I don't have a list of them all.

If you want to protect access to certain files/folder use for example .htaccess in Apache (Google how to restrict access to files/folders on the server software you use).

Also worth reading: https://www.hesk.com/knowledgebase/?article=82

Obviously, any of them can be pulled through the browser, but the admin folder and main folder is what I needed to know.

Somewhere things got flipped with your questioning.