2
I recently changed servers and normally I implement the changes proposed by the protector module in the .htaccess file. My new server though edits the .htaccess to comment out my changes saying:
# For security reasons, mod_php is not used on this server. Use a php.ini file for php directives
# php_flag register_globals off
So I went to my php.ini and changed to
register_globals = Off
register_argc_argv = Off
I was unable to find anything related to 'allow_url_fopen'.
Now the thing that bothers me is that when I go to my protector module and run the security advisory, it says:
'register_globals' : on Not secure
This setting invites a variety of injecting attacks.
If you can put .htaccess, edit or create...
/home/xxx/public_html/.htaccess
php_flag register_globals off
'allow_url_fopen' : on Not secure
This setting allows attackers to execute arbitrary scripts on remote servers.
Only administrator can change this option.
If you are an admin, edit php.ini or httpd.conf.
Sample of httpd.conf:
php_admin_flag allow_url_fopen off
Else, claim it to your administrators.
I know that register_globals is off from running a phpinfo(), so why does it say that its on. Also where can I change allow_url_fopen to off in php.ini?
# For security reasons, mod_php is not used on this server. Use a php.ini file for php directives
# php_flag register_globals off
So I went to my php.ini and changed to
register_globals = Off
register_argc_argv = Off
I was unable to find anything related to 'allow_url_fopen'.
Now the thing that bothers me is that when I go to my protector module and run the security advisory, it says:
'register_globals' : on Not secure
This setting invites a variety of injecting attacks.
If you can put .htaccess, edit or create...
/home/xxx/public_html/.htaccess
php_flag register_globals off
'allow_url_fopen' : on Not secure
This setting allows attackers to execute arbitrary scripts on remote servers.
Only administrator can change this option.
If you are an admin, edit php.ini or httpd.conf.
Sample of httpd.conf:
php_admin_flag allow_url_fopen off
Else, claim it to your administrators.
I know that register_globals is off from running a phpinfo(), so why does it say that its on. Also where can I change allow_url_fopen to off in php.ini?
3
A similar code modification can be made to modules/news/article.php to remove the link to the posters profile. You could remove the link all together, or like the code I will show below, make it so that only users can see the link, anonymous viewers will see just the name.
on line 214 change it to look like this:
Now in testing this I noticed that it only worked when viewing the article itself, so on the main news page where it lists several articles, this doesn't work.
the news_item.html template uses the variable lang_postedby to grab the link to the profile.
Index.php under the news module contains a line that passes the posters profile link to the template,
$xoopsTpl->assign('lang_postedby', _POSTEDBY);
but I can't find where lang_postedby gets assigned. If someone knows, please share. Can just make a change so that it doesn't contain the link portion.
on line 214 change it to look like this:
if ( $story['poster'] ) {
$story['posterid'] = $article->uid();
[b][color=CC0000]if (is_object($xoopsUser)){[/b][/color]
$story['poster'] = '<a href="'.XOOPS_URL.'/userinfo.php?uid='.$story['posterid'].'">'.$story['poster'].'</a>';
[b][color=CC0000] } else {
$story['poster'] = $article->uid(); //a little redundant, but I don't like empty brackets
}[/b][/color]
} else {
Now in testing this I noticed that it only worked when viewing the article itself, so on the main news page where it lists several articles, this doesn't work.
the news_item.html template uses the variable lang_postedby to grab the link to the profile.
Index.php under the news module contains a line that passes the posters profile link to the template,
$xoopsTpl->assign('lang_postedby', _POSTEDBY);
but I can't find where lang_postedby gets assigned. If someone knows, please share. Can just make a change so that it doesn't contain the link portion.
4
I had searched the support forums high and low for some fix that would block anonymous users (possible spam crawlers) from reading e-mail addresses in the user information section. Even with the no anonymous access to the Members module, they were still able to see the e-mail addresses of those who had checked to share their e-mail. What I wanted was for those members to be able to share their e-mail addresses with other members, not with anonymous browsers. To fix this I went in to the code of userinfo.php. A rough edit can be made so that only members can view e-mail addresses. Admins/Webmasters of course can still see everyone's email address.
The changes start on line 131 and are in red.
if (is_object($xoopsUser)){
if ($thisUser->getVar('user_viewemail') == 1) {
$xoopsTpl->assign('user_email', $thisUser->getVar('email', 'E'));
} else {
if (is_object($xoopsUser)) {
// All admins will be allowed to see emails, even those that are not allowed to edit users (I think it's ok like this)
if ($xoopsUserIsAdmin || ($xoopsUser->getVar("uid") == $thisUser->getVar("uid"))) {
$xoopsTpl->assign('user_email', $thisUser->getVar('email', 'E'));
} else {
$xoopsTpl->assign('user_email', ' ');
}
}
}
} else {
$xoopsTpl->assign('user_email', ' ');
}
This of course will only hide e-mails on the users info page. If anyone has put their e-mail address in a forum/news post, it will still be visible to crawlers. In order to avoid this, javascript must be used to create encoded mailto: links.
This requires that the person not use the email button in the submit form and that the e-mail address not be included in the description of the link. This site provides an excellent way to create these encrypted links:
http://w2.syronex.com/jmr/safemailto/
html also as to be enabled for posts.
I would eventually like to see system-wide email encoding in place where XOOPS uses the javascript encoding by default. Also it would be nice if there was an option in the administration menu to turn off the viewing of e-mail adddresses by anonymous users instead of the the current hack.
If anyone knows of a better way to go about doing this, please share, this is just the quickest and most effective way I have found so far.
The changes start on line 131 and are in red.
if (is_object($xoopsUser)){
if ($thisUser->getVar('user_viewemail') == 1) {
$xoopsTpl->assign('user_email', $thisUser->getVar('email', 'E'));
} else {
if (is_object($xoopsUser)) {
// All admins will be allowed to see emails, even those that are not allowed to edit users (I think it's ok like this)
if ($xoopsUserIsAdmin || ($xoopsUser->getVar("uid") == $thisUser->getVar("uid"))) {
$xoopsTpl->assign('user_email', $thisUser->getVar('email', 'E'));
} else {
$xoopsTpl->assign('user_email', ' ');
}
}
}
} else {
$xoopsTpl->assign('user_email', ' ');
}
This of course will only hide e-mails on the users info page. If anyone has put their e-mail address in a forum/news post, it will still be visible to crawlers. In order to avoid this, javascript must be used to create encoded mailto: links.
This requires that the person not use the email button in the submit form and that the e-mail address not be included in the description of the link. This site provides an excellent way to create these encrypted links:
http://w2.syronex.com/jmr/safemailto/
html also as to be enabled for posts.
I would eventually like to see system-wide email encoding in place where XOOPS uses the javascript encoding by default. Also it would be nice if there was an option in the administration menu to turn off the viewing of e-mail adddresses by anonymous users instead of the the current hack.
If anyone knows of a better way to go about doing this, please share, this is just the quickest and most effective way I have found so far.
Login
Search
Recent Posts
Who's Online
Donat-O-Meter
| Stats | |
| Goal: | $100.00 |
| Due Date: | Apr 30 |
| Gross Amount: | $0.00 |
| Net Balance: | $0.00 |
| Left to go: | $100.00 |
 |
|