- Posts: 52
- Home
- Forum
- Community Forum
- Report bugs
- sr reservation assets
Security of a solidres powered website
- abosaleh
- Topic Author
- Offline
Less
More
4 years 9 months ago #14330
by abosaleh
Security of a solidres powered website was created by abosaleh
I have been checking security of the website powered by solidres (hub) version and noticed that some browsers (e.g. Opera) will show a mixed content error and thus blocking some content.
Our website is SSL enabled (using Let's Encrypt).
To further check the website I used this tool: www.whynopadlock.com
This site returned a (Hard Failure) due to CSS missing file.
Page: templates/luxuria/theme.config.php (luxuria may be replaced with some other Solidres template)
in line No. 113, reading:
$this->addFile('css', 'css:custom.css');
This call is causing the (Hard Failure) reported above. I noticed that this file is missing from the system.
Thus I copied the file: custom.css.dist (at CSS folder) and renamed it to custom.css (although blank file)
And the problem was resolved.
To further inspect for more possible http content, I searched all website files and noticed the following:
No. 1: there are few external links to outside content using http. Example is using http_://twitter.com instead of "https_://twitter.com".
Also using http_://www.w3.org instead of https_://www.w3.org.
I am not very sure that such referrals could cause and vulnerability, but I think to fully secure the platform one shall make it as perfect as possible.
No. 2: In page: components/com_solidres_views/reservationasset/view.html.php
Line no.: 366 reading:
$this->document->addCustomTag('<meta property="og:url" content="' . JRoute::_('index.php?option=com_solidres&view=reservationasset&id=' . $this->item->id, true, true) . '"/>');
For some reason, the returned output URL from that statement is not https (it is http). When hard coding the url however; the issue is fixed.
I hope some solution to this case exists and that Solidres team may take care of the issue.
Have a great time
Our website is SSL enabled (using Let's Encrypt).
To further check the website I used this tool: www.whynopadlock.com
This site returned a (Hard Failure) due to CSS missing file.
Page: templates/luxuria/theme.config.php (luxuria may be replaced with some other Solidres template)
in line No. 113, reading:
$this->addFile('css', 'css:custom.css');
This call is causing the (Hard Failure) reported above. I noticed that this file is missing from the system.
Thus I copied the file: custom.css.dist (at CSS folder) and renamed it to custom.css (although blank file)
And the problem was resolved.
To further inspect for more possible http content, I searched all website files and noticed the following:
No. 1: there are few external links to outside content using http. Example is using http_://twitter.com instead of "https_://twitter.com".
Also using http_://www.w3.org instead of https_://www.w3.org.
I am not very sure that such referrals could cause and vulnerability, but I think to fully secure the platform one shall make it as perfect as possible.
No. 2: In page: components/com_solidres_views/reservationasset/view.html.php
Line no.: 366 reading:
$this->document->addCustomTag('<meta property="og:url" content="' . JRoute::_('index.php?option=com_solidres&view=reservationasset&id=' . $this->item->id, true, true) . '"/>');
For some reason, the returned output URL from that statement is not https (it is http). When hard coding the url however; the issue is fixed.
I hope some solution to this case exists and that Solidres team may take care of the issue.
Have a great time
Please Log in or Create an account to join the conversation.
- solidres
-
- Offline
Less
More
- Posts: 2834
4 years 9 months ago #14334
by solidres
FAQ: www.solidres.com/support/frequently-asked-questions
Support Policy: www.solidres.com/support-policy
Replied by solidres on topic Security of a solidres powered website
Hi,
This is actually very simple to solve, you can just rename the file custom.css.dist to custom.css and done.
Regards,
This is actually very simple to solve, you can just rename the file custom.css.dist to custom.css and done.
Regards,
FAQ: www.solidres.com/support/frequently-asked-questions
Support Policy: www.solidres.com/support-policy
The following user(s) said Thank You: abosaleh
Please Log in or Create an account to join the conversation.
Moderators: solidres