A small suggestion for developers, theme designers and end users alike...

In every directory where there is *not* an index.php file, upload a file named index.html with the following line in it.



After MyWebResource was hacked, I discovered that cPanel had this nice little feature to manage Apache indexes. The problem is, by default, this feature is set to fancy indexing. This basically means that if you do not have a index.* in every folder, Apache will generate one for you, thus allowing anyone in the world to browse the folder structure of your site. NOT GOOD!

I am in the process of uploading the index.html file I mentioned above into every folder that does not have a index.php, on every site, for every client. As you can imaging, this is a very time consuming process. While doing so, I've noticed that A LOT of modules do not have this file included. Even some parts of the core do not have this file.

My suggestion/request is that all developers, theme designers and end users alike include this file in your directories.

I may just be p@r@n01d, but hey, If you're not p@r@n01d, your're not paying attention.

/2 cents

Best Regards,

JMorris

.. or alternatively just put Options -Indexes in an .htaccess file in your web root.

Quote:

Alternatively... No. In addition to... YES.

I noticed that GIJOE, and many other Chinese developers uses a very nice approach. In directories where users do not need to browse, they include a .htaccess file AND a index.html file. Others, they just include the index.html file if there is no index.php.

The .htaccess file they include has the following:


Better to be safe than sorry, right?

/2 cents

Best Regards,

JMorris

Thank you for the posting, i will be doing whats required immdiately.

Regards,

eBayti

Quote:

While I agree that placing such files is a good practice, I don't agree when you make il look like they are needed for site security nor I agree that letting people browse the folder structure of the site should make throw a fit.

If you set the right permissions for the few sensitive folders, you are set (yet, put those index and .htaccess in _every_ 777 flagged folder - they are possible open holes already even after that). Either the curious "digging" user will see nothing (when opens a PHP file -> Apache executes them, not show the source) or will see some random picture he'd see browsing the site anyway.

Of course security by obfuscation helps, but it's not enough. You may place every index.html and .htaccess in the world but if you don't protect the sensitive folders with true system rights anyone knowing how XOOPS works can attempt breaking into your site.

This is the only thing I never liked of XOOPS and other easy to install portals, too often the modules want for you to create 777 flagged folders and then slap stuff inside them. After some time installing and uninstalling stuff, the amount of freely accessible folders tends to grow, and the more the worse.
And if you get co-workers or consultants working on the site, they very easily tend to mess with freely accessible folder rights the first time they get some access denied developing their stuff.

I agree that folder permissions should be properly set and that apache will parse the php files, thereby revealing nothing. However, what happens when an inexperienced sysadmin messess up php and php files are no longer parsed? Your entire config is left for the world to see. Also, ever use wget or Lynx? With carefully crafted syntax, you can download an entire site without parsing php files.

I've found that in many situations, 777 is too liberal. I'm currently operating several sites with 775 for cache, templates_c, and uploads without any adverse effects. Since the scripts run as the user/group, the world writable permissions are not neccessary. Another step I'm taking is moving the database details out of mainfile.php and placing them outside the web root. That way if a skilled Linux user trys to mirror my site to local disk to attempt to get my DB details, they will only get variables.

Please re-read the title of this thread "A small suggestion :: Security". These are only suggestions. Take them or leave them, your choice.

XOOPS is by far the most secure CMF/CMS I've ever used, but nothing is 100% secure, and their is always room for improvement.

Just my 2 cents.

Best Regards,

James

BTW: I believe GI-JOE is Japanese, not Chinese

Quote:

but we're all one at the end of the day

Quote:

My most sincere apologies. No disrespect intended.

Best Regards,

James Morris

Hey no worries,

Of course, Chinese and Japanese people are equally respectable and all are kindly producing excellent open-source software for the general population. I just wanted to point it out as a matter of fact.

It's no big deal

good on ya.

anyway, sorry for getting off topic.

The security question is of course important. In my case, Cpanel has an 'Index Manager' that allows one to turn off indexing for folders that lack and index file.

I imagine it wouldn't be too difficult to write a php script that crawls your website and checks for index files. If there's not one there already, it will create one and write it to the folder. It's probably already been done.

anyway, all the best

D.

:: Bump due to recent events ::

Until we can get a security guide together, there are a few tips in this thread that help increase your site's security.