now you sound like a politician

Herko

WarDick:

If you want to offer some insight beyond your brilliant contributions so far, do so. Otherwise, please move on.

The contributors to this thread have no vested stake in being a politician. In fact, several of them give there time freely and in abundance to make XOOPS happen. You, on the other hand, seem content to make potshots.

You offer no support for your point of view, and demonstrate no knowledge that indicates that you know what the #%$ you're talking about. So, please, leave this thread for those who are trying to learn, clarify, or fix.

@chappy

Quote:

Calm down padre. Or is a chaplin a padre? Oh well.
Or just an insurance peddler?

1. In fact it is not necessary to run your site with templates_c with permission set to world writable.

2. I have a fairly high traffic site. I do not use caching.

3. Limit uploads to ftp until a better solution can be worked out.

4. Many heads are better than one. Let's discuss this like adults. I am sure that a simple solution can be synthesized.

5. We owe it to the users of our web sites to fix the problems. Loading trojans onto there computers with a simple visit to our site is unacceptable.

Attack me if you must.

Quote:
Quote:
Quote:
Quote:
Quote:

Struggling with non-sequiturs, are we?

This thread was started before your involvement by people trying to find out what fixes are available, if any, and at what cost (without any accusations, I might add). It has all been geared towards any simple solution that can be found. Discussion has also gone on behind the scenes to further clarify what is possible. It has been a civil discussion, without accusing anyone of bad motives. I don't think that anyone represented in this thread wants to download trojans, hence the existence of the thread. So your accusations are out of place, thus the tone of my response.

I do, however, appreciate that the option you have chosen to limit the possibility of an attack is to turn off caching and change the perms of templates_c (You did turn off some of the other directories' write perms as well, didn't you?). If that works for you, I'm glad. And, it is, at the least, an choice that others could consider.

So, in the spirit of discussing this like adults, thanks for that information.

templates_c is the folder where the compiled templates are stored, and action that needs to be performed by the system whether you have caching turned on or not. And not all servers are setup to require the folder to be world writable, but most are. You may just be lucky (because you have a dedicated server, perhaps).

Using FTP to write data to files is not possible, because of the limitations of FTP, and that would seriously slow down any XOOPS site. And I mean seriously, because creating an ftp connection, logging in, vefifying the path, uploading the changed file to the system (what file? the system can't generate any!), all that would, if at all possible, take way too long, and render XOOPS uttely useless.

Again, if you're looking for a completely safe solution, use static HTML and a local editor to manage the site. It works very well and is very safe (and fast). So it's not that a solution isn't provided, but it may not be what you want to hear.

And this is only a problem when the user running the apache server is not the same one as the user who owns the files. So if you say it's BS, you havent really read the posts and are takinga very narrowminded view of the issue. Check if your situation fits the profile of the 2 users. If not, then you're trying to make a fuss out of nothing, as you don't even have the problem.

Herko

Actually I am on a shared server just like most of the people here. Many are on the same host. Most are configured the same. The only time templates_c is written to is when you install or update a modules. I examined mine and it gets updated very seldom.

Yep you are right it has nothing to do with caching. One of the requirement at install is to set caching to 777 if you do not use caching then this hole is not there.

FTP to upload pictures or files for attachment. Are you really an XOOPS user?

The fuss is that all XOOPS sites on shared servers are capable of placing trojans on a visitors site. Without either the webmaster or the visitor having any knowledge of it. You are taking this much too lightly. This is serious.
If caring about the reputation of XOOPS is narrowed minded then I am guilty. I have a large user base, a large client base. Yes I am concerned.

Richard... it's NOT that 'XOOPS sites are capable of putting a trojan on a visitors computer' but that ALL scripts that require a world writable folder (and there are many of those, all PHP CMS's, for instance, but many other interpreted language scripts as well like ASP, COldfusion etc.) are capable of doing this IF the server is configured as described before.

So, you're addressing a global server config issue here at the XOOPS forums that ha very little to do with XOOPS itself.

As for templates_c, yes it is only updated when you install or update a module. You could switch access modes to have a non-writable folder while this isn't necessary. That will help you protect that folder. And if you don't cache anything, you only have to make that folder writable when you install a module as well (because of the adminmenu.php file that gets updated then). These are actions you as a webmaster can take to prevent misuse of your account. This is not something the XOOPS script can take care of.

So security tips are good, but look for real answers in the right direction, which is as Skalpa stated, your hosting provider. By useing the described setup they knowingly and willingly allow the world writable folder requirement for the use of many scripts, and never gave any warning of this kind of misuse. Plus, the trojan script is a new method, so it wasn't an issue before. But youre right, it is now, and it is serious. Talk to your host about it.

Herko

I believe that it can be solved at the XOOPS level. But of coarse if you think not well I guess you know it all?

Random database prefixes worked well. I think a step in the right direction would be prefixs for folder and files. If you don't know where to put it you can't hack it.

Richard,

How would you suggest this can be arranged in XOOPS? As for the folders that are not visible to the user this is a good idea in theory. How would you handle the uploads folder? It is always visible in the source code and thus any visitor can find out the name of this folder (which has lower protection).