1
m0nty
possible security addition to xoops??
  • 2005/10/31 22:48

  • m0nty

  • XOOPS is my life!

  • Posts: 3337

  • Since: 2003/10/24


whilst we're on the subject, how about a few small security additions to the XOOPS installer.

if we add this line to /install/index.php

if (file_exists('../install.lock'))
{
print 
"<center>The installer has been locked.  Make sure you havn't installed<br>
this before and re-running it again.</center>"
;
exit;
}


this will check for a file called install.lock in the root folder.


then later after the install process has completed, we can add this >

if ($fp = @fopen'../install.lock''w' ))
{
  @
fwrite$fp'XOOPS Installed'29 );
  @
fclose($fp);
}


this will create a file in the root folder called install.lock



also you could use >

if(@unlink("./index.php"))
{
print 
"XOOPS Installed!!<br /><b>The installer index.php file has now been deleted from your server for security reasons</b>";
}
else
{
print 
"XOOPS Installed!!<br /><b>Please delete the install folder from your server for security reasons</b>";
}



the above will automatically delete the install/index.php file from the server after installation has completed.
if it can't delete automatically it displays a message asking you to delete it


or you could use this script below to automatically remove the whole install folder & sub folders.

<?
function 
rmdirRecursive($path,$followLinks=false) {
   
   
$dir opendir($path) ;
   while ( 
$entry readdir($dir) ) {
       
       if ( 
is_file"$path/$entry) || ((!$followLinks) && is_link("$path/$entry")) ) {
           echo ( 
"unlink $path/$entry;n" );
           
unlink"$path/$entry);  // this is the line that does the deleting (comment it out when testing)
       
} elseif ( is_dir"$path/$entry) && $entry!='.' && $entry!='..' ) {
           
rmdirRecursive"$path/$entry) ;
       }
   }
   
closedir($dir) ;
   echo 
"rmdir $path;n";
   return 
rmdir($path); // (comment this out out when testing)
}
?>

2
ZPC
Re: possible security addition to xoops??
  • 2005/10/31 23:54

  • ZPC

  • Official Support Member

  • Posts: 76

  • Since: 2002/1/16


install.lock is nice idea, but let's think about some directory which has to be setup for writing before finishing install.

3
m0nty
Re: possible security addition to xoops??
  • 2005/11/1 0:17

  • m0nty

  • XOOPS is my life!

  • Posts: 3337

  • Since: 2003/10/24


fair point.

if (!is_writable(getcwd()))
{
print 
" Please CHMOD the install folder to <b>777</b>!";
exit;
}


that checks if it's writable.

of course the install folder if it's 777 could then be removed with the rmdir script above..

but we already have 3 folders that should be 777 anyway or 707 whichever, cache, templates_c and uploads.. the lock file could be written to any of those folders and the scripts above changed accordingly..

4
OldFriend
Re: possible security addition to xoops??
  • 2005/11/1 8:33

  • OldFriend

  • Just popping in

  • Posts: 99

  • Since: 2005/10/28


Maybe its worth having the install finish by deleting the install directory as well (if that's possible).

This little step might have saved the XOOPS community some head-aches in the last few weeks.

5
smdcom
Re: possible security addition to xoops??

Thanks for the input m0nty. This is totally a nice idea and should be added to XOOPS installer.

6
JMorris
Re: possible security addition to xoops??
  • 2005/11/1 11:17

  • JMorris

  • XOOPS is my life!

  • Posts: 2722

  • Since: 2004/4/11


Nice work m0nty!

This looks very promising!

Best Regards,

James
Insanity can be defined as "doing the same thing over and over and expecting different results."

Stupidity is not a crime. Therefore, you are free to go.

7
Goober
Re: possible security addition to xoops??
  • 2005/11/1 11:28

  • Goober

  • Not too shy to talk

  • Posts: 101

  • Since: 2003/3/30


Good idea m0nty! Something ala the way the IPB does it.
Dispelling the Mystical belief of Web Standards and tableless CSS.
Nobody gets excited about the tools used to build a house, people get excited about how the house looks and performs

Login

Who's Online

152 user(s) are online (108 user(s) are browsing Support Forums)


Members: 0


Guests: 152


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Mar 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits