Customer Portal

Get Involved. Join the Conversation.

Topic

    david fulton
    Important: SEC_* end-user access configuration flags
    Topic posted October 4, 2008 by david fultonBronze Trophy: 5,000+ Points, last edited October 29, 2011 
    2206 Views, 7 Comments
    Title:
    Important: SEC_* end-user access configuration flags
    Content:

    Hi everyone,

     

    An important notification to anyone that uses security flags used to mask end-user access by IP ranges (for internal service implementations etc).

     

    All Customer Portal pages will fail if SEC_VALID_ENDUSER_HOSTS or SEC_INVALID_ENDUSER_HOSTS is set. 

     

    The problem occurs because CodeIgniter deletes all but a protected set of global variables.  The code in init.phph which enforces SEC_VALID_ENDUSER_HOSTS or SEC_INVALID_ENDUSER_HOSTS relies on one of those deleted variables.

     

    Additionally, SEC_VALID_ADMIN_HOSTS isn’t honored for Customer Portal admin pages.  SEC_*_ENDUSER_HOSTS are incorrectly used for all Customer Portal pages, including administrative pages.

     

    Two workarounds exist:

    1)      Unset those config settings.

    2)      Add code to init.phph that assigns $REMOTE_ADDR = $_SERVER[‘REMOTE_ADDR’].

     

    This is currently being worked for an August '08 service pack and will be rolled out to impacted sites within the next few weeks.

    Comment

     

    • Stdranwl

      Hi Dave,

       

      We have already set SEC_VALID_ENDUSER_HOSTS for one of our Interface and now we need to start on CP for the same and as you mentioned We are not able to see the PHP files in euf folders. If we remove above setting and set to blank then we are able to see PHP file there.

       

      Is there any other alternative to work around this because if we unset this setting then our Internal purpose could not solved for which we have set this setting.Any suggestions to work around on this we are using August’08. 

      many thanks

       

    • Stdranwl

      Hi there,

       

      Can anybody please reply me on this?

       

      many thanks

    • Stdranwl

      Hi there,

      I am still looking for any work around to the problem we were facing on the above thread. we want setting to be set for IP but want to work on the CP pages.

      many thanks

       

       

       

    • Ernie Turner

      As Dave mentioned above, this fix was service packed into August '08. As long as you recieved that service pack you should be fine.

    • Stdranwl

      Hi etuner,

      Are you saying we will be able to edit init.phph in that service pack. because first point would not work for us as we want IP too be set so second option is to edit init.phph. or you are saying that in that service pack we will be able to play with CP file evenif the IP config setting is set there.

      Thanks.

       

    • Ernie Turner

      I'm saying that if that service pack has been applied to your site, you don't need to do either of those workarounds. The site should work even if those configs are set.

    • Stdranwl

      Thanks etuner,

      I will check with the service pack for my site.