41
WarDick
Re: Norton detected virus on my XOOPS site
  • 2005/8/7 9:58

  • WarDick

  • Just can't stay away

  • Posts: 890

  • Since: 2003/9/13


As you can see above my quick fix is to only allow uploads by ftp until we can sort this out. I believe that the prefix could be added to the file name before writing to the file. Example would be to strip the prefix before display and then appending it before writing.
Urging XOOPS to be the Best It Can Be.
Richard......

42
Dave_L
Re: Norton detected virus on my XOOPS site
  • 2005/8/7 10:02

  • Dave_L

  • XOOPS is my life!

  • Posts: 2277

  • Since: 2003/11/7


Quote:

WarDick wrote:
Random database prefixes worked well. I think a step in the right direction would be prefixs for folder and files. If you don't know where to put it you can't hack it.


You should be able to add prefixes for the /templates_c, /cache and /uploads directories by modifying these statements in include/common.php, assuming the names aren't hardcoded anywhere else:

define("XOOPS_CACHE_PATH"XOOPS_ROOT_PATH."/cache");
define("XOOPS_UPLOAD_PATH"XOOPS_ROOT_PATH."/uploads");
define("XOOPS_COMPILE_PATH"XOOPS_ROOT_PATH."/templates_c");
define("XOOPS_UPLOAD_URL"XOOPS_URL."/uploads");

43
wtravel
Re: Norton detected virus on my XOOPS site

Would using a .htaccess file be an option for the uploads folder? For example:

yoursite.com/uploads/image_123.jpg is translated to:

yoursite.com/real_uploads/image_123.jpg

You can make the real_uploads folder available for uploads in that case, since the webmaster is the only one who knows which is the real upload folder.

Of course you will need to change a few parameters to manage this.

44
WarDick
Re: Norton detected virus on my XOOPS site
  • 2005/8/7 10:20

  • WarDick

  • Just can't stay away

  • Posts: 890

  • Since: 2003/9/13


@ Dave_L

Yes It works perfect in 2.2

@ wtravel

I'll try it now

Hey Guy's thank you so much!

I think I can sleep easier now.
Urging XOOPS to be the Best It Can Be.
Richard......

45
Dave_L
Re: Norton detected virus on my XOOPS site
  • 2005/8/7 10:24

  • Dave_L

  • XOOPS is my life!

  • Posts: 2277

  • Since: 2003/11/7


wtravel:

Since the uploads directory, unlike the cache and templates_c directories, has to be accessed by URL, I don't think there's a completely effective way of hiding it.

Personally, I don't like user-uploaded files being immediately accessible by other users. If it were up to me, I would have user uploads go to a "secret" incoming directory, which is not accessible from a browser. After the upload is approved, it would be moved to a web-accessible directory.

46
WarDick
Re: Norton detected virus on my XOOPS site
  • 2005/8/7 10:30

  • WarDick

  • Just can't stay away

  • Posts: 890

  • Since: 2003/9/13


@ Dave_L

I like that thought. Would it work if the upload directory were writeable but not executable?
Urging XOOPS to be the Best It Can Be.
Richard......

47
wtravel
Re: Norton detected virus on my XOOPS site

Dave, that sounds even better. Probably the folder where eventually the uploaded files will be available to the web needs to have lower security as well, since you will need to place the copied files there programmatically.

If a solution using .htaccess would work, you could use a combination of a virtual folder and a more secure uploads management (by requiring approval of uploaded files).

48
Dave_L
Re: Norton detected virus on my XOOPS site
  • 2005/8/7 10:40

  • Dave_L

  • XOOPS is my life!

  • Posts: 2277

  • Since: 2003/11/7


Richard:

Hmmm ... I don't think so. If a directory is not "executable", you can't access it as a directory to place files in it.

wtravel:

Actually, it would be possible to hide the uploads directory. Instead of having URLs that directly access files in that directory, the URLs could run a script that reads a file from the "hidden" uploads directory and outputs it, with the proper MIME content header, to the browser. But there's a performance penalty, possible a severe one, since that script would have to be executed frequently, and the files wouldn't be cacheable by the browser. There might also be platform-dependencies.

I experimented with that approach for an earlier script that I wrote. I used the method for "downloads" such as .zip files, but decided it was too costly for more frequently accessed files such as images.

49
WarDick
Re: Norton detected virus on my XOOPS site
  • 2005/8/7 10:49

  • WarDick

  • Just can't stay away

  • Posts: 890

  • Since: 2003/9/13


This also works in 2.0.13
Urging XOOPS to be the Best It Can Be.
Richard......

50
pabriz
Re: Norton detected virus on my XOOPS site
  • 2005/8/13 0:42

  • pabriz

  • Just popping in

  • Posts: 5

  • Since: 2005/8/11


Hi, have you found the bug yet? Is there a patch to fix it?

Regards,

Pablo

Login

Who's Online

180 user(s) are online (79 user(s) are browsing Support Forums)


Members: 0


Guests: 180


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits