1
Hi all.
I've been experimenting with XOOPS for about a week now and generally I like what I see. I do have some common questions about security, though. First question is quite general, other questions handle more about different download modules and the way they link to content.
1. How much risk remains in leaving several of the folders in the homedir (such as uploads, templates_c) world writable? Can people in any way damage the contents of such a folder (i.e. deleting files) by using just html or php? Can people upload files while circumventing the whole XOOPS php system? And what about the security of the MySQL database?
2. In all downloads modules I've seen so far there is not really any explanation on how files, only available for download by certain members (i.e. wfDownloads, wmpDownloads) are secure from people typing in the direct link in the URL bar. I've tested it and what I already thought was true: the files are direct downloadable. Even though the easy security is never to expose the real URL anywhere and maybe hide downloads by placing them somewhere like /ergaegae/super/secret/download/folder/file.zip but maybe someone knows of more radical solutions, like maybe having XOOPS work with .htaccess files? Can anyone enlighten?
By the way, I'm just as happy with links to elaborative resources which I can dig myself into as with full answers in this forum. I don't want to be the newbie who asks the same question for the zillionth time. ;)
Take care,
J.