.
Dear Thorsten Rinne / Development Team
phpMyFAQ allows more than one mode of secure access/communication.
However, reading the code we found many hardcoded "http:" strings.
Are these strings used in HTTP headers that don't allow "https"?
If not, they should change accordingly to the administrator option (HTTP vs HTTPS) and, thus be stored in a variable.
Note
Many (but not all) are in phpMyFAQ bundled (external) components.
Nevertheless, in order to support phpMyFAQ's “secure communication” statement, those files must also be edited.
The attached compressed folder
- phpmyfaq-2-8-3-files-w-hardcoded-http-or-https-20131122.zip
- phpmyfaq-2-8-3-files-w-hardcoded-http-file-list-20131122.txt
- phpmyfaq-2-8-3-files-w-hardcoded-https-file-list-20131122.txt
- phpmyfaq-2-8-3-files-w-hardcoded-http-file+line-w-str-list-20131122.txt
- phpmyfaq-2-8-3-files-w-hardcoded-https-file+line-w-str-list-20131122.txt
Note: the directories (folders) must exist.
List of files containing “http:” or “https:”
Code: Select all
grep -r -l -i "http:" . >> /tmp/1/ficheiros-c-http.txt
grep -r -l -i "https:" . >> /tmp/1/ficheiros-c-https.txt
List of files and line(s) with the hardcoded string:
Code: Select all
grep -r -i "http:" . >> /tmp/1/ficheiros-c-http+str.txt
grep -r -i "https:" . >> /tmp/1/ficheiros-c-https+str.txt
..
Kind regards
2013-11-20
pt20100201
..