thanks for those, I will check them out
I am far from a security expert, but one thing I do on my scripts that process form data is this....before it accepts any post data I have something like this
<?php
//Prevent form script hijack by serving only request from this domain
$myReferer = "http://mywebsite.com/";
$referer = ($_SERVER['HTTP_REFERER']);
if ($myReferer != $referer) {
echo "Unauthorized Request";
die;
}
?>
Just change the $myReferer to your url.
It seems to help with cross site scripting by killing the script if the referal does not come from your domain. Is there a way around this....I dunno.
And I have not really looked at WA's cms code to see if it already has something like this in place, it may....not sure.
edit... i just did a find and replace search for 'HTTP_REFERER' and didn't find any instances.
so I opened up the WA_Globals file and added this
$mysite = "http://www.mysite.com/myCMSfolder/admin/contents_insert.php"
(you need to edit that to point at your site files)
then I opened contents_insert, and directly below this line
<?php require_once( "../WA_Globals/WA_Globals.php" ); ?>
I added this
<?php
if (isset($_POST["Insert_x"])){
$referer = ($_SERVER['HTTP_REFERER']);
if ($referer != $mysite) {echo "Unauthorized Request"; die;}
}
?>
I tested it and it seemed to work....I tried to attack it, but it passed my tests
(again..not an expert, lol.. a hacker I am NOT)
you would need to do this again for the contents_update page.
maybe someone will know of a better approach