54
Thank you for this link, I have read and I think most of that is already done on my site,
I moved data and lib to home directory as apposed to temp folder, and manfile is 444,
this is what XOOPS system overview says
* XOOPS Version: XOOPS 2.3.3
* PHP Version: 5.2.9
* MySQL Version: 5.0.67-community
* Server API Version: cgi-fcgi
* OS Version: Linux
* safe_mode: Off
* register_globals: Off
* magic_quotes_gpc: On
* allow_url_fopen: Off
* fsockopen: On
* allow_call_time_pass_reference: On
* post_max_size: 130M
* max_input_time: 60
* output_buffering:
* max_execution_time: 60
* memory_limit: 64M
* file_uploads: On
* upload_max_filesize: 130M
Does this mean I am now protected against Cross-site scripting (XSS)?
In Protector it says
'XOOPS_TRUST_PATH' :
Check php files inside TRUST_PATH are private (it must be 404,403 or 500 error
If you can look an image -NG- or the link returns normal page, your XOOPS_TRUST_PATH is not placed properly. The best place for XOOPS_TRUST_PATH is outside of DocumentRoot. If you cannot do that, you have to put .htaccess (DENY FROM ALL) just under XOOPS_TRUST_PATH as the second best way.
'register_globals' : off ok
'allow_url_fopen' : off ok
'session.use_trans_sid' : off ok
'XOOPS_DB_PREFIX' : XOOPS Not secure
This setting invites 'SQL Injections'.
Don't forget turning 'Force sanitizing *' on in this module's preferences.
Go to prefix manager
'mainfile.php' : missing precheck Not secure
You should edit your mainfile.php like written in README.
---------------------------
Obviously I am a noob with this,
I am afraid to change the XOOPS database prefix as the site is already running.
I can't find XOOPS trust path.