1
technobia
Protector Module Security Advisories
  • 2006/9/21 14:55

  • technobia

  • Not too shy to talk

  • Posts: 122

  • Since: 2006/4/17


I have a couple of Protector module security advisories I am not sure how to resolve.

ITEM 1
'allow_url_fopen' : on Not secure
This setting allows attackers to execute arbitrary scripts on remote servers.
Only administrator can change this option.
If you are an admin, edit php.ini or httpd.conf.
Sample of httpd.conf:
php_admin_flag allow_url_fopen off
Else, claim it to your administrators.

I edited my php.ini (php5.1.6) I found allow_url_fopen and turned it OFF but I do not have an entry for php_admin_flag and the security advisory still reports this as Not Secure


ITEM 2
'mainfile.php' : missing precheck Not secure
You should edit your mainfile.php like written in README.

The instructions do not say where to paste the code in the mailfile.php and if the code brackets should be included. I tried it without the code brackets and got an error and had to use the rescue.php to get back in.


After XOOPS Protector is installed, edit your mainfile.php like this:
define('XOOPS_GROUP_ADMIN''1');
    
define('XOOPS_GROUP_USERS''2');
    
define('XOOPS_GROUP_ANONYMOUS''3');

    [
color=ff0000]include( XOOPS_ROOT_PATH '/modules/protector/include/precheck.inc.php' ) ;[/color]
    if (!isset(
$xoopsOption['nocommon']) [color=0000ff]&& XOOPS_ROOT_PATH != ''[/color] ) {
        include 
XOOPS_ROOT_PATH."/include/common.php";
    }
    [
color=ff0000]include( XOOPS_ROOT_PATH '/modules/protector/include/postcheck.inc.php' ) ;[/color]


Thanks - technobia
Thanks, Technobia
http://www.PrideDEPOT.com
Everybody Has A Right!

2
m0nty
Re: Protector Module Security Advisories
  • 2006/9/21 17:03

  • m0nty

  • XOOPS is my life!

  • Posts: 3337

  • Since: 2003/10/24


if u turned it off in php.ini then you have to restart the apache service or IIS server for the changes to take effect.

php_admin_flag is a command used in .htaccess files only.. if u edit php.ini directly there's no need to add it to htaccess etc

unless you're using a php.ini file on your server under CGI mode, then that means you need to place that same file in every folder you want protected.

as for editing mainfile, the answer is above in your post.. edit mainfile as it states adding the lines in red where they are shown in the example.

Login

Who's Online

501 user(s) are online (408 user(s) are browsing Support Forums)


Members: 0


Guests: 501


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits