Re: Xoops Security [Xoops Development] - XOOPS Web Application System

1

Xoops Security

2008/4/23 8:19
Shiva
Quite a regular
Posts: 280
Since: 2006/7/9 1

Are the security precautions that all Xoopsters should be aware of. The only relevant information I can find is written in 2004. So to start off... do people find the following useful and relevant:

1. Using the protector module :

https://xoops.org/modules/repository/singlefile.php?cid=59&lid=1453

2. Hiding the MySQL login & password details by moving them into a diffent file :
http://xoops-tips.com/news-article.storyid-1.htm

Any other security precautions that we should be aware of?

Xoops CMS design
Membership based website design

2

Re: Xoops Security

2008/4/23 8:49
Anonymous
Posts: 0
Since:

That is a very old version of Protector. Use version 3.16beta from GIJOE's website here:
http://xoops.peak.ne.jp/md/mydownloads/singlefile.php?lid=105&cid=1

You will Madfish's excellent installation guide on that page. Follow it to the letter and you'll be fine

3

Re: Xoops Security

2008/4/23 8:57
avtx30
Not too shy to talk
Posts: 181
Since: 2006/10/12

-2. Delete 'install' directory
-1. Chmod '404' mainfile.php
-0. Chmod others properly
3. Try to move '777' stuffs out of your public_html
4. Remove unused files (e.g. xmlrpc.php, pda.php)
5. Use good modules
6. Use .htaccess properly

/.htaccess

 Options -Indexes 
<FilesMatch "(mainfile|header|footer).php"> 
Order allow,deny 
Deny from all 
FilesMatch>

/cache/.htaccess, /class/.htaccess, /kernel/.htaccess, /language/.htaccess, /templates_c/.htaccess

 Order allow,deny 
Deny from all

/images/.htaccess, /modules/.htaccess

Options -Indexes

/include/.htaccess

 Order Deny,Allow 
Deny from all 
<FilesMatch ".(js|css)$"> 
Allow from all 
FilesMatch>

/themes/.htaccess

 Order Deny,Allow 
Deny from all 
<FilesMatch ".(gif|jpe?g|png|js|css|swf)$"> 
Allow from all 
FilesMatch>

/uploads/.htaccess

 Order Deny,Allow 
Deny from all 
<FilesMatch ".(gif|jpe?g|png)$"> 
Allow from all 
FilesMatch>

Xoops Demos:
http://www.nhatban.net/info/a0021.html

4

Re: Xoops Security

2008/4/23 10:35
Shiva
Quite a regular
Posts: 280
Since: 2006/7/9 1

Cheers for that guys!

I did not know there was such a recent version of the protector modules. It's a shame that the XOOPS download area is so out of date.

The .htaccess tips seem very handy. But can you just explain whats happening there. I presume it blocks access to unautorised users. I am a little concerned about the uploads directory - I don't want to restrict to much access. (?)

Xoops CMS design
Membership based website design

5

Re: Xoops Security

2008/4/23 10:45
Mamba
Moderator
Posts: 11409
Since: 2004/4/23

We're working on an update of modules - it's coming soon!

But the best way is always to check the authors Website, because sometimes we are not aware of a new version being out.

Support XOOPS => DONATE
Use 2.5.11 | Docs | Modules | Bugs

6

Re: Xoops Security

2008/4/23 10:51
Shiva
Quite a regular
Posts: 280
Since: 2006/7/9 1

cool. :)

Xoops CMS design
Membership based website design

Stats
Goal:	$100.00
Due Date:	Nov 30
Gross Amount:	$0.00
Net Balance:	$0.00
Left to go:	$100.00

Xoops Security

Re: Xoops Security

Re: Xoops Security

Re: Xoops Security

Re: Xoops Security

Re: Xoops Security

Login

Search

Recent Posts

XOOPS MyMenus 1.54.0 Beta 10

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Who's Online

Donat-O-Meter

Latest GitHub Commits

{{ record.sha.slice(0, 7) }} - {{ record.commit.message | truncate }}