1
girrl88
Protector confusion
  • 2006/12/20 5:11

  • girrl88

  • Just popping in

  • Posts: 8

  • Since: 2006/12/16


Hello everyone. I just got the Protector module installed and set up. The confusion is because I'm not understanding what I'm supposed to do now.

The security advisory says

'register_globals' : on Not secure
This setting invites a variety of injecting attacks.
If you can put .htaccess, edit or create...

/home/domain/public_html/xoopsinstall/.htaccess

php_flag register_globals off - I don't have this file. How do I create it? What goes in it, just that snippet?

'allow_url_fopen' : on Not secure
This setting allows attackers to execute arbitrary scripts on remote servers.
Only administrator can change this option.
If you are an admin, edit php.ini or httpd.conf.
Sample of httpd.conf:
php_admin_flag allow_url_fopen off
Else, claim it to your administrators. - I'm confused here, where would this file be located? Is this something that I need to talk to my host about?

'session.use_trans_sid' : on Not secure
Your Session ID will be diplayed in anchor tags etc.
For preventing from session hi-jacking, add a line into .htaccess in XOOPS_ROOT_PATH.
php_flag session.use_trans_sid off - Where am I supposed to put this line?

'XOOPS_DB_PREFIX' : XOOPS Not secure
This setting invites 'SQL Injections'.
Don't forget turning 'Force sanitizing *' on in this module's preferences. Is this the same as the Sanitizing null-bytes setting in the preferences? I don't understand.

~~ At least I managed to edit the mainfile.php by myself

2
MadFish
Re: Protector confusion
  • 2006/12/20 6:06

  • MadFish

  • Friend of XOOPS

  • Posts: 1056

  • Since: 2003/9/27


Quote:
/home/domain/public_html/xoopsinstall/.htaccess

php_flag register_globals off - I don't have this file. How do I create it? What goes in it, just that snippet?


Yes, just create a plain text file called .htaccess with that line in it, and save it in the main directory of your website.[/quote]

Quote:
'allow_url_fopen' : on Not secure
This setting allows attackers to execute arbitrary scripts on remote servers.
Only administrator can change this option.
If you are an admin, edit php.ini or httpd.conf.
Sample of httpd.conf:
php_admin_flag allow_url_fopen off
Else, claim it to your administrators. - I'm confused here, where would this file be located? Is this something that I need to talk to my host about?


Yes.

Quote:
'session.use_trans_sid' : on Not secure
Your Session ID will be diplayed in anchor tags etc.
For preventing from session hi-jacking, add a line into .htaccess in XOOPS_ROOT_PATH.
php_flag session.use_trans_sid off - Where am I supposed to put this line?


Add this as an additional line in the .htaccess file you created above.

Quote:
'XOOPS_DB_PREFIX' : XOOPS Not secure
This setting invites 'SQL Injections'.
Don't forget turning 'Force sanitizing *' on in this module's preferences. Is this the same as the Sanitizing null-bytes setting in the preferences? I don't understand.


Go into the prefix manager area of protector. There you can duplicate your database tables using a different prefix, which makes it harder for people to guess your database structure / intefere with it.

Once you have create the duplicate set of tables, you will need to edit your mainfile.php to use the new set - change the prefix in mainfile to match that of your new tables.

3
irmtfan
Re: Protector confusion
  • 2006/12/20 6:07

  • irmtfan

  • Module Developer

  • Posts: 3419

  • Since: 2003/12/7


you can not do much about this.
its all about your server configuration.

about the first three you can contact to your hosting provider.
eg: register_globals = On is not safe.

just about prefix you can change it but it is not very important to security.

4
girrl88
Re: Protector confusion
  • 2006/12/22 6:35

  • girrl88

  • Just popping in

  • Posts: 8

  • Since: 2006/12/16


Thanks so very much.

- This is a big part of why I went with Xoops. A nice helpful forum!

Login

Who's Online

426 user(s) are online (353 user(s) are browsing Support Forums)


Members: 0


Guests: 426


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits