1
Medic1
Protector
  • 2007/3/31 19:54

  • Medic1

  • Just popping in

  • Posts: 44

  • Since: 2005/10/1


I followed what instructions I could find on this site but I am having a problem..
If I add the line....

if (!isset($xoopsOption['nocommon'])) {
include XOOPS_ROOT_PATH."/include/common.php";
}

all I get is a blank screen. I have no IP's banned set.

I also could use some info on this....

'register_globals' : off ok

'allow_url_fopen' : on Not secure
This setting allows attackers to execute arbitrary scripts on remote servers.
Only administrator can change this option.
If you are an admin, edit php.ini or httpd.conf.
Sample of httpd.conf:
php_admin_flag allow_url_fopen off
Else, claim it to your administrators.

'session.use_trans_sid' : off ok

'XOOPS_DB_PREFIX' : XOOPS Not secure
This setting invites 'SQL Injections'.
Don't forget turning 'Force sanitizing *' on in this module's preferences.
Go to prefix manager

'mainfile.php' : missing postcheck Not secure
You should edit your mainfile.php like written in README.

'Password for rescue' : ok



How do I correct this?

Thanks for any help.

2
vaughan
Re: Protector
  • 2007/3/31 20:16

  • vaughan

  • Friend of XOOPS

  • Posts: 680

  • Since: 2005/11/26


Quote:

if (!isset($xoopsOption['nocommon'])) {
include XOOPS_ROOT_PATH."/include/common.php";
}


it doesn't say to add that line to wherever you are adding it to.

read the readme file carefully!!

you add >

include XOOPS_TRUST_PATH.'/modules/protector/include/precheck.inc.php' ;


and

include XOOPS_TRUST_PATH.'/modules/protector/include/postcheck.inc.php' ;


like the readme file says so it looks like >

include XOOPS_TRUST_PATH.'/modules/protector/include/precheck.inc.php' ;
if (!isset(
$xoopsOption['nocommon']) && XOOPS_ROOT_PATH != '' ) {
include 
XOOPS_ROOT_PATH."/include/common.php";
}
include 
XOOPS_TRUST_PATH.'/modules/protector/include/postcheck.inc.php';


as for the others, do a search for allow_url_fopen to find out more

as for db prefix, follow the instructions & change the db prefix using the prefix manager in the protector module.

3
MadFish
Re: Protector
  • 2007/4/1 3:10

  • MadFish

  • Friend of XOOPS

  • Posts: 1056

  • Since: 2003/9/27


With the new version of Protector it is important to follow the installation instructions step by step. I think you have to actually install the module before modifying the mainfile, or it won't work.

PM me with your email and I'll send you a nearly finished doc on protector that explains some of the settings you were asking about.

4
Medic1
Re: Protector
  • 2007/4/1 13:40

  • Medic1

  • Just popping in

  • Posts: 44

  • Since: 2005/10/1


I would go through the read me file but it wont open with anything I have installed.

5
Anonymous
Re: Protector
  • 2007/4/1 14:00

  • Anonymous

  • Posts: 0

  • Since:


Quote:
Medic1 wrote:

I would go through the read me file but it wont open with anything I have installed.


The README file has no filename extension.

However, it will open with any text editor such as Wordpad - however, Notepad doesn't work.

6
Anonymous
Re: Protector
  • 2007/4/1 14:32

  • Anonymous

  • Posts: 0

  • Since:


@MadFish and Vaughan

Your replies, whilst helpful, assume that Medic1 is using Protector 3. However, this line in Medic1's first post suggest that it may be an earlier version:

Quote:
Medic1 wrote:

'Password for rescue' : ok


The password feature was present in earlier versions of the module but removed for v3.

@Medic1

The advice to read the instructions still applies

7
Anonymous
Re: Protector
  • 2007/4/1 14:39

  • Anonymous

  • Posts: 0

  • Since:


Quote:
Medic1 wrote:

I also could use some info on this....

'allow_url_fopen' : on Not secure
This setting allows attackers to execute arbitrary scripts on remote servers.
Only administrator can change this option.
If you are an admin, edit php.ini or httpd.conf.
Sample of httpd.conf:
php_admin_flag allow_url_fopen off
Else, claim it to your administrators.


My hosting company won't turn this off for me as it would disable some server features for other users.

Quote:
Medic1 wrote:

'XOOPS_DB_PREFIX' : XOOPS Not secure
This setting invites 'SQL Injections'.
Don't forget turning 'Force sanitizing *' on in this module's preferences.
Go to prefix manager


This means that the database table prefix chosen at the time of XOOPS install might be easily guessed by others. It is possible to change the prefix.

Go to the modules "Preference" in Admin and turn on "sanitising".


Quote:
Medic1 wrote:

'mainfile.php' : missing postcheck Not secure
You should edit your mainfile.php like written in README.


RTFM

It looks like you have the pre-check sorted okay, but you need to add the equivalent code for the post-check in your mainfile.php, too.

It will look a bit like the code that Vaughan gave but with XOOPS_ROOT_PATH instead of XOOPS_TRUST_PATH (the latter is a feature of Protector 3):

include XOOPS_TRUST_PATH.'/modules/protector/include/precheck.inc.php' ;
if (!isset(
$xoopsOption['nocommon']) && XOOPS_ROOT_PATH != '' ) {
include 
XOOPS_ROOT_PATH."/include/common.php";
}
include 
XOOPS_TRUST_PATH.'/modules/protector/include/postcheck.inc.php';



HTH

8
Anonymous
Re: Protector
  • 2007/4/1 14:48

  • Anonymous

  • Posts: 0

  • Since:


And then, once you have it sorted okay, upgrade to the "Protector 3" module from GIJOE, which is available here.

If you look down that page you'll see some code which will give a BIG CLUE as to where to put the pre- and post-check code in your mainfile.php with the version of the module that you have (you will need XOOPS_ROOT_PATH rather than XOOPS_TRUST_PATH though)

9
carpeweb
Re: Protector
  • 2007/4/1 21:56

  • carpeweb

  • Just popping in

  • Posts: 38

  • Since: 2002/9/12


I'm also having some problems with allow_url_openf.

My XOOPS Info has a red dot next to this parameter, but my host said that this option is disabled system-wide. I checked a file called .htaccess in my root (public_html) folder, and it has the following line:

php_flag allow_url_fopen off

So, it seems to me that my host is doing the right thing here, but somehow XOOPS Info is maybe looking in httpd.conf or some other file for the same setting. I don't have access to httpd.conf; at least I don't see it in my file manager from my hosting provider.

Does anyone know how I can confirm whether I'm protected against allow_url_fopen?

Thanks!

10
Dave_L
Re: Protector
  • 2007/4/2 0:10

  • Dave_L

  • XOOPS is my life!

  • Posts: 2277

  • Since: 2003/11/7


Try running this script:

<?php
$fp 
fopen('http://example.com/''r');
var_dump($fp);
?>


If allow_url_fopen is on, the output should look like this:

Quote:
resource(5) of type (stream)


If allow_url_fopen is off, the output should look like this:

Quote:
Warning: fopen(): URL file-access is disabled in the server configuration in ... on line 2
Warning: fopen(http://example.com/): failed to open stream: no suitable wrapper could be found in ... on line 2
bool(false)

Login

Who's Online

158 user(s) are online (108 user(s) are browsing Support Forums)


Members: 0


Guests: 158


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Mar 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits