11
DonXoop
Re: Security Bug

It isn't a problem unless you have users with shell access that can navigate to the file. The file won't show any text if called from a browser.

Several things you can do to add more protection.
. Change the ownership of the file or rights so that only the web server user can read the file.
. Encode the file with a PHP encoder. It can then only be read by PHP that has the same decoder.
. Disallow access to mainfile.php in Apache:

Order allow,deny
Deny from all


Even if you don't do these steps and only do what the Install suggests you shouldn't have a problem. I go a few steps further. And yes I've had a few attempts to call mainfile.php. Instead of a blank screen that would normally be given they got a 403 forbidden error.

12
kahumbu
Re: Security Bug
  • 2004/2/2 14:58

  • kahumbu

  • Documentation Writer

  • Posts: 277

  • Since: 2003/8/23


The XOOPS Core Team probably knows of this already, but just in case they don't, here's a security bug reported by Security Tracker.

http://securitytracker.com/alerts/2004/Jan/1008849.html

Thanks!

Login

Who's Online

355 user(s) are online (292 user(s) are browsing Support Forums)


Members: 0


Guests: 355


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits