Hi all.

I've been experimenting with XOOPS for about a week now and generally I like what I see. I do have some common questions about security, though. First question is quite general, other questions handle more about different download modules and the way they link to content.

1. How much risk remains in leaving several of the folders in the homedir (such as uploads, templates_c) world writable? Can people in any way damage the contents of such a folder (i.e. deleting files) by using just html or php? Can people upload files while circumventing the whole XOOPS php system? And what about the security of the MySQL database?

2. In all downloads modules I've seen so far there is not really any explanation on how files, only available for download by certain members (i.e. wfDownloads, wmpDownloads) are secure from people typing in the direct link in the URL bar. I've tested it and what I already thought was true: the files are direct downloadable. Even though the easy security is never to expose the real URL anywhere and maybe hide downloads by placing them somewhere like /ergaegae/super/secret/download/folder/file.zip but maybe someone knows of more radical solutions, like maybe having XOOPS work with .htaccess files? Can anyone enlighten?

By the way, I'm just as happy with links to elaborative resources which I can dig myself into as with full answers in this forum. I don't want to be the newbie who asks the same question for the zillionth time. ;)

Take care,

J.

Three folders in XOOPS must be writable; cache, uploads and templates_c. IF anyone should manage to remove the content of cache and templates_c folders, no harm is done - it will be re-created from the database. The uploads folder is a bit different as smileys, ranks and images uploaded through the image manager land here.

In general it should be impossible to upload files to the uploads folder without using
a) an FTP connection to your webserver
b) existing PHP, CGI or similar scripts on your webserver

I cannot enlighten you much on .htaccess etc. as it is outside my area of expertise.

I'll add that .htaccess is useful and works if your Apache is set to allow it. It has nothing to do with XOOPS and is an Apache thing. But is useful for specific tweaks you might desire.

It is indeed very difficult to overwrite the 777 directories from existing code. If you have other code available or other sites on the server or on a host that is vulnerable to root attacks you could have trouble like any site would, but that isn't related to xoops.

Suggest keeping the backend as secure as possible. Things like using the minimal file rights, PHP register_globals OFF, secure admin passwords, secure MySQL rights, and of course a firewall. The usual security.

Watch the logs and note any unusual activity. Crackers will come by and try things.