Corrections that should be applied to skins and plugins,
in GuppY version 4.5 and 4.5.x

Generalities

The GuppY Version 4.5 has been subject of much attention with respect to the safety problems . Modifications were made in order to increase Guppy resistance to "breakers"' attacks.

Because of these ending, there are now some incompatibilities with existing skins and plugins.

This note explains the security rules that are used and the corrections that have to be done to skins and plugins

Rules
1 - Rule 1

Every site sub-repertory ( including skins and plugins) must contain an index.php file with this code :

< ?php

header("location:../index.php") ;

?>

This script prevents those repertories from being explored so that nobody can list the files they contain.

Guppy v4.0 was already following this rule almost totally ,. Guppy v4.5 respects it completely.

2 - Rule 2

All *.php or *.inc scripts are always called by an include, include_once, require or require_once instruction, and must be protected from a direct and malevolent call. It is recommanded to include an heading like the following :

if (stristr($­­­­­­­­­­­­_SERVER["SCRIPT_NAME"], "Nom
du fichier script" )) {

header("location:index.php");

die();

}

this heading avoids a direct call like for exemple :

http://mon.site.com/inc/functions.php

The « breaker » is then simply sent to the home page .

3 - Rule 3

Before any call to a script file ,through an include, include_once, require or require_once instruction, the argument used as « name of the script file» must be controlled to be sure that this argument has not been transformed in a nasty way.

This control is done to avoid any ending of the « the script file name», for ex. by typing parameters on the addres line of the navigator. This control can be avoided if it is impossible to modify the argument.

It is recommended to use PHPconstant for all the invariable values during the execution of the script.

Guppy v4.5 has replaced most of the « invariables » variables with PHP constants. The most known and most vulnerable of these « invariables » variables is $­­­­­­­­­­chemin.

Corrections to be done

1 - Rule 1

We invite the skins and plugins authors to check if there are index.php files in all repertories and subrepertories of their works

2 - Rule 2

We invite the skins and plugins authors to include the heading at the top of all the script files which are always called by an include or require instruction

3 -Rule 3

The use of PHP constant is the reason of many incompatibilities with skins and plugins.
All the « invariables » variables replaced by PHP constant except $­­­­­­­­­­chemin must be defined at the beginning of inc/functions.php .We invite the skins and plugins authors to control the use of those variables « invariables » in their work
The corrections that should be done can be divided in 2 types :

Use of variables « invariables »

In this case you must use the constant name instead of the corresponding variable name. The variable is made of the character $­­­­­­­­­­ followed by a name written in small letters, the corresponding PHP constant correspondante is made with the same name as the variable but written in capitals (without the initial $­­­­­­­­­­l). for exemple, the variable $­­­­­­­­­­chemin becomes the constant CHEMIN.

Definition of « invariables » variables

In this case you must replace the the variable affectation instruction with the definition instruction of the corresponding constant. For exemple, the following line :$­­­­­­­­­­chemin = "../../"must be replaced with :define("CHEMIN","../../");Attention : This PHP constant concept doesn't apply to the configuration variables($­­­­­­­­­­webXXX, $­­­­­­­­­­adminXXX, $­­­­­­­­­­site[X], etc).

4 - Consequences of operating in register_reglobals = OFF

Guppy 4.5 can function with PHP adjustment Register_reglobals = OFF, It can bring problems to some plugins.All plugins that need seizing datas through forms, out of administration scripts, are potentially prone to these problems.
The solution consists in including a Guppy script in each plugin.principal scripts
What is a principal script ? It is a script called directly. They are recognized because they define the $­­­­­­­­­­chemin variable , now the CHEMIN constant.
There is a solution : you include the following instruction :

:include(CHEMIN."inc/includes.inc") ;

after the CHEMIN constant and before any other file inclusion