1
JMorris
A small suggestion :: Security
  • 2005/7/31 15:47

  • JMorris

  • XOOPS is my life!

  • Posts: 2722

  • Since: 2004/4/11


A small suggestion for developers, theme designers and end users alike...

In every directory where there is *not* an index.php file, upload a file named index.html with the following line in it.

<script>history.go(-1);script>


After MyWebResource was hacked, I discovered that cPanel had this nice little feature to manage Apache indexes. The problem is, by default, this feature is set to fancy indexing. This basically means that if you do not have a index.* in every folder, Apache will generate one for you, thus allowing anyone in the world to browse the folder structure of your site. NOT GOOD!

I am in the process of uploading the index.html file I mentioned above into every folder that does not have a index.php, on every site, for every client. As you can imaging, this is a very time consuming process. While doing so, I've noticed that A LOT of modules do not have this file included. Even some parts of the core do not have this file.

My suggestion/request is that all developers, theme designers and end users alike include this file in your directories.

I may just be p@r@n01d, but hey, If you're not p@r@n01d, your're not paying attention.

/2 cents

Best Regards,

JMorris
Insanity can be defined as "doing the same thing over and over and expecting different results."

Stupidity is not a crime. Therefore, you are free to go.

2
-DJNZ-
Re: A small suggestion :: Security
  • 2005/7/31 16:22

  • -DJNZ-

  • Just popping in

  • Posts: 30

  • Since: 2005/1/11


.. or alternatively just put Options -Indexes in an .htaccess file in your web root.

3
JMorris
Re: A small suggestion :: Security
  • 2005/7/31 16:28

  • JMorris

  • XOOPS is my life!

  • Posts: 2722

  • Since: 2004/4/11


Quote:

-DJNZ- wrote:
.. or alternatively just put Options -Indexes in an .htaccess file in your web root.


Alternatively... No. In addition to... YES.

I noticed that GIJOE, and many other Chinese developers uses a very nice approach. In directories where users do not need to browse, they include a .htaccess file AND a index.html file. Others, they just include the index.html file if there is no index.php.

The .htaccess file they include has the following:
order deny,allow
deny from all


Better to be safe than sorry, right?

/2 cents

Best Regards,

JMorris
Insanity can be defined as "doing the same thing over and over and expecting different results."

Stupidity is not a crime. Therefore, you are free to go.

4
ebayti
Re: A small suggestion :: Security
  • 2005/8/2 6:17

  • ebayti

  • Just popping in

  • Posts: 10

  • Since: 2005/7/28


Thank you for the posting, i will be doing whats required immdiately.

Regards,

eBayti

5
Vahrokh
Re: A small suggestion :: Security
  • 2005/8/2 8:18

  • Vahrokh

  • Just popping in

  • Posts: 16

  • Since: 2005/1/17


Quote:

After MyWebResource was hacked, I discovered that cPanel had this nice little feature to manage Apache indexes. The problem is, by default, this feature is set to fancy indexing. This basically means that if you do not have a index.* in every folder, Apache will generate one for you, thus allowing anyone in the world to browse the folder structure of your site. NOT GOOD!

....

I may just be p@r@n01d, but hey, If you're not p@r@n01d, your're not paying attention.

/2 cents

Best Regards,

JMorris


While I agree that placing such files is a good practice, I don't agree when you make il look like they are needed for site security nor I agree that letting people browse the folder structure of the site should make throw a fit.

If you set the right permissions for the few sensitive folders, you are set (yet, put those index and .htaccess in _every_ 777 flagged folder - they are possible open holes already even after that). Either the curious "digging" user will see nothing (when opens a PHP file -> Apache executes them, not show the source) or will see some random picture he'd see browsing the site anyway.

Of course security by obfuscation helps, but it's not enough. You may place every index.html and .htaccess in the world but if you don't protect the sensitive folders with true system rights anyone knowing how XOOPS works can attempt breaking into your site.

This is the only thing I never liked of XOOPS and other easy to install portals, too often the modules want for you to create 777 flagged folders and then slap stuff inside them. After some time installing and uninstalling stuff, the amount of freely accessible folders tends to grow, and the more the worse.
And if you get co-workers or consultants working on the site, they very easily tend to mess with freely accessible folder rights the first time they get some access denied developing their stuff.

6
JMorris
Re: A small suggestion :: Security
  • 2005/8/2 10:40

  • JMorris

  • XOOPS is my life!

  • Posts: 2722

  • Since: 2004/4/11


I agree that folder permissions should be properly set and that apache will parse the php files, thereby revealing nothing. However, what happens when an inexperienced sysadmin messess up php and php files are no longer parsed? Your entire config is left for the world to see. Also, ever use wget or Lynx? With carefully crafted syntax, you can download an entire site without parsing php files.

I've found that in many situations, 777 is too liberal. I'm currently operating several sites with 775 for cache, templates_c, and uploads without any adverse effects. Since the scripts run as the user/group, the world writable permissions are not neccessary. Another step I'm taking is moving the database details out of mainfile.php and placing them outside the web root. That way if a skilled Linux user trys to mirror my site to local disk to attempt to get my DB details, they will only get variables.

Please re-read the title of this thread "A small suggestion :: Security". These are only suggestions. Take them or leave them, your choice.

XOOPS is by far the most secure CMF/CMS I've ever used, but nothing is 100% secure, and their is always room for improvement.

Just my 2 cents.

Best Regards,

James
Insanity can be defined as "doing the same thing over and over and expecting different results."

Stupidity is not a crime. Therefore, you are free to go.

7
davidthomas1
Re: A small suggestion :: Security

BTW: I believe GI-JOE is Japanese, not Chinese

Quote:

I noticed that GIJOE, and many other Chinese developers uses a very nice approach. In directories where users do not need to browse, they include a .htaccess file AND a index.html file.


but we're all one at the end of the day
みんなちがってみんないい。

XOOPS 2.0.13.2

8
JMorris
Re: A small suggestion :: Security
  • 2005/8/2 21:24

  • JMorris

  • XOOPS is my life!

  • Posts: 2722

  • Since: 2004/4/11


Quote:

davidthomas1 wrote:
BTW: I believe GI-JOE is Japanese, not Chinese

Quote:

I noticed that GIJOE, and many other Chinese developers uses a very nice approach. In directories where users do not need to browse, they include a .htaccess file AND a index.html file.


but we're all one at the end of the day


My most sincere apologies. No disrespect intended.

Best Regards,

James Morris
Insanity can be defined as "doing the same thing over and over and expecting different results."

Stupidity is not a crime. Therefore, you are free to go.

9
davidthomas1
Re: A small suggestion :: Security

Hey no worries,

Of course, Chinese and Japanese people are equally respectable and all are kindly producing excellent open-source software for the general population. I just wanted to point it out as a matter of fact.

It's no big deal

good on ya.

anyway, sorry for getting off topic.

The security question is of course important. In my case, Cpanel has an 'Index Manager' that allows one to turn off indexing for folders that lack and index file.

I imagine it wouldn't be too difficult to write a php script that crawls your website and checks for index files. If there's not one there already, it will create one and write it to the folder. It's probably already been done.

anyway, all the best

D.
みんなちがってみんないい。

XOOPS 2.0.13.2

10
JMorris
Re: A small suggestion :: Security
  • 2005/10/31 22:06

  • JMorris

  • XOOPS is my life!

  • Posts: 2722

  • Since: 2004/4/11


:: Bump due to recent events ::

Until we can get a security guide together, there are a few tips in this thread that help increase your site's security.
Insanity can be defined as "doing the same thing over and over and expecting different results."

Stupidity is not a crime. Therefore, you are free to go.

Login

Who's Online

445 user(s) are online (366 user(s) are browsing Support Forums)


Members: 0


Guests: 445


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits