| Re: Following Security Advisor instructions in Protector 3.20 |
| by Johnny5Step on 2008/12/1 19:33:16 I will copy the instruction here below that I was given: I have two main questions left at this point. When it says every directory I wish to affect, does that include the ones that were put above (and renamed) the public_html? (I guess that's the Root?) Is the fact that XOOPS is in an oddly named directory inside public_html going to make a difference, or keep me from applying this? Here is the file I was given to edit: Quote: <?php I couldn't find a: php_admin_flag allow_url_fopen off line together so I changed: $parm[] = "register_globals = Off"; $parm[] = "session.use_trans_sid = 0"; to $parm[] = "php_admin_flag = Off"; $parm[] = "register_globals = Off"; The session.use_trans_sid having already been taken care of in another way per Protector's instructions and has a green check by it anyway. I have no idea if that's the correct syntax, but I do want to get it correct before copying it in the hundreds of directories of the XOOPS install, The only other change I made was on the: $customPath = "/home/user/public_html/php.ini"; line, I changed "user" to our user name and added the exact name of the director XOOPS is in between public_html and php.ini: $customPath = "/home/MyUserName/public_html/XoopsDirName/php.ini"; I also wonder if the: if (chmod($customPath,0600)) means I need to chmod the permissions on all the php.ini files that I install in the XOOPS directory and subdirectories to be 600 (if they don't automatically go to that)? Here are the instructions I followed: (I'm leaving out the other parts about deleting a php.ini file and changing it later to add other stuff) Quote: INSTALLING A CUSTOM PHP.INI DIRECTIVE If I am understanding this correctly, this file accesses the main php.ini on the server and modifies only the lines that it contains, and only for the directories and subdirectories that have a copy of it in them? If I put a copy of this into "Root" or "public_html" this would affect the Invision Power Board, the Drupal, the Polls, the Calendars, and other php stuff that are all in there own directories already, in some cases subdirectories? Or maybe not if it was in the "public_html" and then only in the XOOPS main directory and subdirectories? Hopefully this is what you wanted me to post. Thanks, |
| Re: Following Security Advisor instructions in Protector 3.20 |
| by ghia on 2008/12/1 10:15:47 Can you copy these instructions in your post? If you have other php scripts, then these scripts may also be vulnerable to these kind of exploits. Some may also be dependent on the allowance and may no longer function. I believe the php.ini replacement has to be copied in every entry page directory. For XOOPS this would mean every directory with php files (other than class or include, because these can normally not be called directly), such as the root, modules, admin and blocks. You must also understand that Protector and all its security settings and advices gives you not a 100% bullet free solution. It reduces only the risk. So, if this setting is on and not off, you live a little more dangerously (don't ask me for numbers), but it is not likely that your site will die tomorrow. |
| Following Security Advisor instructions in Protector 3.20 |
| by Johnny5Step on 2008/11/30 22:35:09 XOOPS Version: XOOPS 2.3.2 Module Name/Version: Protector 3.2 PHP Version: 5.2.6 MySQL Version: 5.0.67-community Web Server Software: Apache 2.2.9 (Unix) Operating System: Linux Theme you are using: default Custom template: Not at this point A full description of the issue: This was a clean install of XOOPS 2.3.1 and upgrade to XOOPS 2.3.2. I followed the install instructions exactly, all the installs went fine and the portal and admin all seems to be working fine. I have been able to satisfy the Protector 3.20 Security Advisory on 4 of it's 5 warnings. I don't know how severe this security gap is. Though Protector has already logged a couple of attempts of "Guest - CONTAMI - Attempt to inject 'xoopsConfig' was found." and the site's not even really in use yet. The one I can't figure out is this one: Quote:
I did a service ticket to our web host and they said I could add php.ini overwriting files to each folder that would be affected and gave me a txt file of a sample php.ini to edit and instructions on installing it. I have our XOOPS portal in a sub-directory, not the root directory. And have other php programs working on our domain. I don't know if I've edited the overwriting php.ini file correctly and want to determine if I need to put it in all the directories of the XOOPS install, including the ones that are above the public-html level? I am new to Xoops, though I've worked with other php portal type programs. Thanks for any assistance or advice, |