I am currenting using FW/1 and tracking traffic via the following function call
this.wsTraffic.add(action =
{
SubSystem = getSubSystem(),
Section = getSection(),
Item = rc.slug != "" ? rc.slug : getItem()
},
isPost = (cgi.request_method == "POST" ? 1 : 0),
http_user_agent = cgi.http_user_agent,
Remote_addr = cgi.remote_addr,
http_referer = cgi.http_referer,
http_accept_language = cgi.http_accept_language,
url_vars = Duplicate(url)
);
Currently it is ran on setupRequest() in application.cfc. I have two subsystems: home and admin. home will always have it traffic tracked. Admin will never have its traffic tracked.
I am considering moving the function call to home/layouts/default.cfm because only the home subsystem is tracked. I don't want to move the traffic tracker there because this has nothing to do with layouts.
Where should traffic logging be done on an FW/1 site?
It would be done in setupRequest, (where you are currently doing it).
To avoid it occurring for the Admin subsystem, wrap it in a conditional check for getSubSystem() NEQ 'admin' before running it.
Alternatively, if you forsee adding multiple subsystems with different statuses, you could implement it instead by creating a TrackedSubsystems (or UntrackedSubsystems) item in Variables.Framework, with a list of subsystem names, then check for:
ListFind( Variables.Framework.TrackedSubSystems , getSubSystem() )
Related
How to protect from this?
https://breakdev.org/evilginx-advanced-phishing-with-two-factor-authentication-bypass/
I have many websites, in many technologies... I need a way to protect.
I'm wondering if there is just something like a check of suspicious IP activities in the aftermath?
Just this? Really?
Can I check my SSL certificate? HSTS? Avoid using nginx from serving my site?
Include something like this on your login page (make sure to set the X-FRAME-OPTIONS header to DENY), changing "Your expected origin" to... well, I'm sure you can figure it out:
var inP = true, t = self, l = "loc" + "ation", o = "o" + "rigin", ex = "Your " + "expected" + " origin", db = document, b = "bod" + "y", h = "in" + "ner" + "HTML";
try {
inP = t[l][o] != ex;
} catch (e) {
inP = true;
}
if (inP) {
db[b][h] = "<p>For security reasons, this site cannot be viewed though a proxy. Please access the site directly at <a href="+ex+" target='_top'>" + ex + "</a>.</p>";
throw new Error("Prevent any other code in this block from running.");
}
It's obfuscated to try and prevent the proxy from noticing what you're doing, but just to be sure, mix it in with some JavaScript vital for the page to run (like one that adds a CSRF token to the login form). That way they can't just block the file. (But randomize the obfuscation to frustrate attempts to filter or parse the file in the proxy).
Add a <noscript> tag explaining that you have to have JavaScript enabled on this page for security reasons.
It's not bulletproof (someone really determined will figure out how to bypass your obfuscation), but it should stop script kiddies who just installed Evilginx from a tutorial.
Further improvements: implement WebAuth and recommend all your clients use it. Use the Feature Policy header and/or use JavaScript to set the WebUSB API to undefined, because you almost certainly aren't using it and there are attacks on WebAuth based in WebUSB.
I am trying to use the wildcard match on routes in FW/1 v 3.5.
Application.cfc
component extends="framework.one" {
this.name= "Wildcard7";
variables.framework = {
home = 'main.home',
action = 'fuseaction',
baseURL = 'useCgiScriptName',
trace = isDebugMode()
};
variables.framework.routes = [
{ "main/home" = "main/home"},
{ "*" = "main/404"}
];
}
When I run the page, without specifying an action, I get the main/404 page instead of main/home
** FW/1 trace**
How can I get main/404 to run only on invalid pages?
When I run the page, without specifying an action, I get the main/404 page instead of main/home
I assume you are trying to access the page like so - your.domain/index.cfm/main. Note the lack of the home action.
Based on your routes, your first route is saying if the path supplied equals "main/home" then point to the view main/home. If there is an action of home in a main.cfc controller then that will be ran prior to rendering the view.
Leaving off the action, home, would not match any of your current routes; resulting in your wildcard catching it. You would need to handle it by including another route like {"main" = "main"}.
UPDATE:
To access main/home from your.domain/index.cfm, you can try passing a route of {"/" = "main/home"}. I would suggest this being above your wildcard and below any other routes to avoid any freak matches.
I'm experiencing an strange behaviour in our production servers.
We have three servers and It seems sometimes MediaManager.GetMediaUrl doesn't return the file extension. First I thought one server might have different settings. I compared all the configs on the three servers and they are identical.
Surprisingly, I notice If I browse the same page from the same server I can replicate issue.
I checked the value of Media.RequestExtension and for all three is same as following
<setting name="Media.RequestExtension" value=""/>
I cannot replicate the issue on none of our environments( local,test, staging )
I added the metatag and hardcoded the server name and I set the Cacheable property of usercontrol to false and I'm sure it's not Caching issue.
var images = new List<string>();
var imageField1 = (Sitecore.Data.Fields.ImageField)Sitecore.Context.Item.Fields["og Image1"];
if (imageField1 != null && imageField1.MediaItem != null)
{
var image1Url = MediaManager.GetMediaUrl(imageField1.MediaItem);
images.Add(image1Url);
}
Has anyone experienced the same issue?
Even I have faced this issue of extension in media item urls.
Workaround for this issue would be to make use of IncludeExtension property of MediaUrlOptions object.
MediaUrlOptions mediaUrlOpts = new MediaUrlOptions();
mediaUrlOpts.IncludeExtension = false;
Response.Write(MediaManager.GetMediaUrl(item, mediaUrlOpts ));
If you want to always add extension to URL, then set IncludeExtension to true.
I installed and configured the Poll Module to work fine. The website I am working on will have a Poll instance on a page either as a left rail or a right rail item. The Polls would be setup in a separate folder. On the page item there will be a multilist field which will point to the Polls folder and the user can select whichever poll they choose to. The folder will also contain different sublayouts which will could be selected to be displayed on the rail. I have some custom code which will look at the above mentioned multilist field and show these rail items.
I don't know how to display a Poll programmatically. I haven't found any code samples and also not sure where to set the sublayout. Should I set it on the Poll template itself and then let use code to display it? How can I achieve this in code? Any code samples would be helpful.
Hoping that you will this time accept the answer, I wrote the following for you (based on the OMS Poll module:
Read out the field on your item:
Sitecore.Data.Fields.ReferenceField selectedPoll = (Sitecore.Data.Fields.ReferenceField)Sitecore.Context.Item.Fields["Poll"];
Get the pollItem:
if (selectedPoll.TargetItem != null)
{
Item pollItem = selectedPoll.TargetItem;
if (pollItem != null)
{
Check if the poll is opened or closed and place:
Sitecore.Data.Fields.CheckboxField pollClosed = (Sitecore.Data.Fields.CheckboxField)pollItem.Fields["Closed"];
if (pollClosed.Checked == false)
{
// Set the header of the snippetBlock
ltPollHeader.Text = pollItem.Name;
PollVotingSublayout pollSublayout = (PollVotingSublayout)LoadControl("/sitecore modules/Shell/Poll Module/Controls/PollVotingSublayout.ascx");
pollSublayout.Attributes.Add("sc_parameters", "PollPath=" + pollItem.Paths.FullPath);
pollSublayout.CurrentPoll = (PollItem)pollItem;
this.pollRegion.Controls.Add(pollSublayout);
phPollSnippet.Visible = true;
int blockPos = 0;
if (snippetField != null)
{
if (snippetField.GetItems().Any())
{
blockPos = 1;
}
}
string cssClass = String.Empty;
if (blockPos == 0)
{
cssClass = "snippetColHomeFirst";
}
this.SetClass("snippetColHome", cssClass);
}
Hope that you can make up something using this snippets. Good luck!
There should be a user account called "poll" on the sitecore domain. This account is normally used internal by the poll. In the comment of this account is stated: "Please do not remove this account". the account should have the Sitecore Minimal Page Editor role. I don't know the poll user credentials, but you might find that by either using reflector or opening cs files that you can get by downloading the source.
I am trying to publish programmatically in Sitecore. Publishing works fine. But doing so programmatically doesn't clear the sitecore cache. What is the best way to clear the cache programmatically?
I am trying to use the webservice that comes with the staging module. But I am getting a Bad request exception(Exception: The remote server returned an unexpected response: (400) Bad Request.). I tried to increase the service receivetimeout and sendtimeout on the client side config file but that didn't fix the problem. Any pointers would be greatly appreciated?
I am using the following code:
CacheClearService.StagingWebServiceSoapClient client = new CacheClearService.StagingWebServiceSoapClient();
CacheClearService.StagingCredentials credentials = new CacheClearService.StagingCredentials();
credentials.Username = "sitecore\adminuser";
credentials.Password = "***********";
credentials.isEncrypted = false;
bool s = client.ClearCache(true, dt, credentials);
I am using following code to do publish.
Database master = Sitecore.Configuration.Factory.GetDatabase("master");
Database web = Sitecore.Configuration.Factory.GetDatabase("web");
string userName = "default\adminuser";
Sitecore.Security.Accounts.User user = Sitecore.Security.Accounts.User.FromName(userName, true);
user.RuntimeSettings.IsAdministrator = true;
using (new Sitecore.Security.Accounts.UserSwitcher(user))
{
Sitecore.Publishing.PublishOptions options = new Sitecore.Publishing.PublishOptions(master, web,
Sitecore.Publishing.PublishMode.Full, Sitecore.Data.Managers.LanguageManager.DefaultLanguage, DateTime.Now);
options.RootItem = master.Items["/sitecore/content/"];
options.Deep = true;
options.CompareRevisions = true;
options.RepublishAll = true;
options.FromDate = DateTime.Now.AddMonths(-1);
Sitecore.Publishing.Publisher publisher = new Sitecore.Publishing.Publisher(options);
publisher.Publish();
}
In Sitecore 6, the CacheManager class has a static method that will clear all caches. The ClearAll() method is obsolete.
Sitecore.Caching.CacheManager.ClearAllCaches();
Just a quick note, in Sitecore 6.3, that is not needed anymore. Caches are being cleared automatically after a change happens on a remote server.
Also, if you are on previous releases, instead of clearing all caches, you can do partial cache clearing.
There is a free shared source component called Stager that does that.
http://trac.sitecore.net/SitecoreStager
If you need a custom solution, you can simply extract the source code from there.
I got this from Sitecore support. It clears all caches:
Sitecore.Context.Database = this.WebContext.Database;
Sitecore.Context.Database.Engines.TemplateEngine.Reset();
Sitecore.Context.ClientData.RemoveAll();
Sitecore.Caching.CacheManager.ClearAllCaches();
Sitecore.Context.Database = this.ShellContext.Database;
Sitecore.Context.Database.Engines.TemplateEngine.Reset();
Sitecore.Caching.CacheManager.ClearAllCaches();
Sitecore.Context.ClientData.RemoveAll();
Out of the box solution provided by Sitecore to clean caches (ALL of them) is utilized by the following page: http://sitecore_instance_here/sitecore/admin/cache.aspx and code behind looks like the following snippet:
foreach (var cache in Sitecore.Caching.CacheManager.GetAllCaches())
cache.Clear();
Via the SDN:
HtmlCache cache = CacheManager.GetHtmlCache(Context.Site);
if (cache != null) {
cache.Clear();
}