1
ashlyn
Help with Protector (came with 2.3.2 fresh install)
  • 2009/2/17 11:54

  • ashlyn

  • Just popping in

  • Posts: 8

  • Since: 2006/5/23


I'm a little lost. I installed Protector as a module, as it came with v.2.3.2. Correct folders etc.

Getting the following nasties in the Protector module:

'XOOPS_TRUST_PATH' :
Check php files inside TRUST_PATH are private (it must be 404,403 or 500 error
If you can look an image -NG- or the link returns normal page, your XOOPS_TRUST_PATH is not placed properly. The best place for XOOPS_TRUST_PATH is outside of DocumentRoot. If you cannot do that, you have to put .htaccess (DENY FROM ALL) just under XOOPS_TRUST_PATH as the second best way.

I can see the NG image in Security Advisory. The whole XOOPS_TRUST_PATH thing has me stumped. Is there a tutorial for this?

'allow_url_fopen' : on Not secure
This setting allows attackers to execute arbitrary scripts on remote servers.
Only administrator can change this option.
If you are an admin, edit php.ini or httpd.conf.
Sample of httpd.conf:
php_admin_flag allow_url_fopen off
Else, claim it to your administrators.

Will speak to admin about fixing this.

'mainfile.php' : missing precheck Not secure
You should edit your mainfile.php like written in README.

It's set to 444. Is there something I missed?

I did not understand the readme properly, and got way lost on the whole Trust Path thing. Any help for this dummy would be much appreciated.

Thanks

2
Anonymous
Re: Help with Protector (came with 2.3.2 fresh install)
  • 2009/2/17 12:44

  • Anonymous

  • Posts: 0

  • Since:


Quote:
ashlyn wrote:

I'm a little lost. I installed Protector as a module, as it came with v.2.3.2. Correct folders etc.

Getting the following nasties in the Protector module:

'XOOPS_TRUST_PATH' :
Check php files inside TRUST_PATH are private (it must be 404,403 or 500 error
If you can look an image -NG- or the link returns normal page, your XOOPS_TRUST_PATH is not placed properly. The best place for XOOPS_TRUST_PATH is outside of DocumentRoot. If you cannot do that, you have to put .htaccess (DENY FROM ALL) just under XOOPS_TRUST_PATH as the second best way.

I can see the NG image in Security Advisory. The whole XOOPS_TRUST_PATH thing has me stumped. Is there a tutorial for this?


You are getting this because your xoops_lib folder is probably sitting inside your xoops_root folder (as it was this way when you unzipped the downloaded XOOPS package.

If you can, you are advised to move this folder outside of xoops_root and then edit your mainfile.php to so that it references the new location.

You are also advised to rename the xoops_lib folder to something unique.

There is a FAQ on "making your site secure" - search it out and study it as it will help a lot

Quote:
ashlyn wrote:

'allow_url_fopen' : on Not secure
This setting allows attackers to execute arbitrary scripts on remote servers.
Only administrator can change this option.
If you are an admin, edit php.ini or httpd.conf.
Sample of httpd.conf:
php_admin_flag allow_url_fopen off
Else, claim it to your administrators.

Will speak to admin about fixing this.


If you are on a shared server then this might not be possible. Whilst it's desirable to have it set as recommended it's not something that I personally lose any sleep over.

Quote:
ashlyn wrote:

'mainfile.php' : missing precheck Not secure
You should edit your mainfile.php like written in README.

It's set to 444. Is there something I missed?

I did not understand the readme properly, and got way lost on the whole Trust Path thing. Any help for this dummy would be much appreciated.


You didn't read the installation instructions properly, did you

This is easily corrected - take a look in the "extras" folder that came with your XOOPS download and look at a file called mainfile.dist.php

Near the bottom of this file there are two lines code relating to "precheck" and "postcheck" and these sit either side of a few lines of "other code".

These lines of "other code" are also found in your mainfile.php. Copy the "precheck", "postcheck" and "other code" from mainfile.dist.php and past them into your mainfile.php thereby replacing the exisitng "other code".

After checking that the code in mainfile.php is exactly the same as in mainfile.dist.php, upload the amended mainfile.php - the error will now be gone

HTH

3
ashlyn
Re: Help with Protector (came with 2.3.2 fresh install)
  • 2009/2/18 6:55

  • ashlyn

  • Just popping in

  • Posts: 8

  • Since: 2006/5/23


Thankyou kindly. The penny finally dropped and I now can no longer see the NG image, and the link gives a 404 page. Step one defeated. I was confused as to where and what document root was. I've learned something new today!

My mainfile is now patched, ok, and happy.

Only one small thing left.

The 2 links at the bottom of the Security Advisory page are this:

Contaminations:
http://www.mysite/pages/index.php?xoopsConfig%5Bnocommon%5D=1

Isolated Comments:
http://www.mysite/pages/index.php?cid=%2Cpassword+%2F%2A


The second link just takes me to my homepage. I'm assuming this is ok?

The first link takes me to a blank page with only 1 line of text saying "Protector detects attacking actions". I'm assuming this is NOT ok? Is that because of the ('allow_url_fopen' : on Not secure) part? I am on a shared server, so this might not be an easy thing to fix.


Thankyou so much for your help. You've been an angel



4
Anonymous
Re: Help with Protector (came with 2.3.2 fresh install)
  • 2009/2/18 9:14

  • Anonymous

  • Posts: 0

  • Since:


Quote:
ashlyn wrote:

The 2 links at the bottom of the Security Advisory page are this:

Contaminations:
http://www.mysite/pages/index.php?xoopsConfig%5Bnocommon%5D=1

Isolated Comments:
http://www.mysite/pages/index.php?cid=%2Cpassword+%2F%2A


The second link just takes me to my homepage. I'm assuming this is ok?


These links are for you to test that protector is working okay. My installation behaves the same as yours.

If you click on the links then visit the "protect centre" there should be two entries in the on-screen log and these will show your admin username and your ip address. If these entries are there then protector is working

Login

Who's Online

314 user(s) are online (232 user(s) are browsing Support Forums)


Members: 0


Guests: 314


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits