1
StevenB
Paid Security Help - Xoops, Protector, and more
  • 2006/9/4 16:18

  • StevenB

  • Just popping in

  • Posts: 61

  • Since: 2006/9/3 2


Stuff:
OS: Linux, php: v4.4.0, MySQL v14.7, scripts are ran as CGI executables

Current installed Mods:
Xoops 2.0.14, protector 2.5, XOOPS poll blind, AMS 2.14
Note: I do need to install a couple more mods; a good calendar, and photo album.

Security is absolutely critical for this site and I am willing to pay for a knowlageble person (that has beeen running a XOOPS site for a while without being hacked) to help me work through some known problems and offer advice to make the site as secure as possible.

Known Problem 1: When I run the Protector Mod the security advisory warns...

'register_globals' : on Not secure
'allow_url_fopen' : on Not secure
'session.use_trans_sid' : on Not secure

I have been working on this for a week. This is what I know/tried so far:

I got an internal server error when I tried to create the .htaccess. When I contacted the host there reply was:
Quote:
Yes, applying these lines to the .htaccess files will cause the internal server error 500 to be generated because in our system PHP scripts are ran as CGI executables which means that whenever you try to use PHP directives in the .htaccess file they are not correctly recognised which in turn results to the aforemenntioned error.

The host recomended I create a php.ini file. I made 3 attempts at the php.ini from days of googling and placed it in the root of the site. All of them still get the security warnings. Here's that code:
register_globals=off
allow_url_fopen
=off
session
.use_trans_sid=off
and
register_globals 0
allow_url_fopen 
0
session
.use_trans_sid 0
and
php_flag register_globals=off
php_admin_flag allow_url_fopen
=off
php_flag session
.use_trans_sid=off


Problems 2 & 3 I haven't even addessed yet:
2)'XOOPS_DB_PREFIX' : XOOPS Not secure

3)I'm really not sure if this is a problem or not but of the links in protector simply pull up my home page.
Contaminations:
http://mysite.com/index.php?xoopsConfig%5Bnocommon%5D=1
Isolated Comments:
http://mysite.com/index.php?cid=%2Cpassword+%2F%2A

I am also interested in any and all other security precautions help or advice.

If interested please PM me and we can discuss arrangements.

Regards,
Steve

2
justtupeu
Re: Paid Security Help - Xoops, Protector, and more
  • 2006/9/5 16:40

  • justtupeu

  • Just popping in

  • Posts: 78

  • Since: 2005/6/7 8


Quote:
Yes, applying these lines to the .htaccess files will cause the internal server error 500 to be generated


Oh man I just hate that.
Vineri triskaideka - contest for Vineri triskaideka phrase

3
shogun_ro
Re: Paid Security Help - Xoops, Protector, and more
  • 2006/10/1 12:47

  • shogun_ro

  • Just popping in

  • Posts: 9

  • Since: 2006/9/2 1


Quote:
Yes, applying these lines to the .htaccess files will cause the internal server error 500 to be generated


Change hosting company with one more professional.

4
m0nty
Re: Paid Security Help - Xoops, Protector, and more
  • 2006/10/1 13:00

  • m0nty

  • XOOPS is my life!

  • Posts: 3337

  • Since: 2003/10/24


php.ini files need to be placed in every folder that you want those directives enforced.. not just the root folder.. as php.ini files only affect the folder they are placed in and not any sub folders.

only htaccess files affect all folders under them..

don't use the php_flag tho in php.ini files

you only use php_flag in htaccess.. any php commands in htaccess when php is in CGI mode will produce a 500 internal server error.

5
McNaz
Re: Paid Security Help - Xoops, Protector, and more
  • 2006/10/1 14:03

  • McNaz

  • Just can't stay away

  • Posts: 574

  • Since: 2003/4/21


Quote:
Change hosting company with one more professional.


This wont help much as more and more hosts are moving towards phpsuexec, which is what you are on if .htaccess files generate a internal error 500 when attempting any php directives.

6
BDW
Re: Paid Security Help - Xoops, Protector, and more
  • 2006/10/1 22:11

  • BDW

  • Quite a regular

  • Posts: 280

  • Since: 2002/9/28


You should ask your host to edit the default php.ini file to change these if they dont let you change it yourself.

Your host should have a default php.ini file that covers your whole website. If they dont then change hosts.

within a php.ini file it should be

register_globals = Off
allow_url_fopen = Off
session.use_trans_sid = Off

7
BDW
Re: Paid Security Help - Xoops, Protector, and more
  • 2006/10/1 22:21

  • BDW

  • Quite a regular

  • Posts: 280

  • Since: 2002/9/28


Quote:


Problems 2 & 3 I haven't even addessed yet:
2)'XOOPS_DB_PREFIX' : XOOPS Not secure


This can be done by:

1. going to Protectors Admin
2. Prefix Manager
3. Where it has a "Copy" button there should be a box, enter in a new Prefix.
4. Click on Copy
DO NOT DELETE YOUR OLD ONE JUST IN CASE YOUR SITE DOESNT WORK AFTER THE NEXT STEPS
5. load your FTP client.
6. Edit mainfile.php (you may have to change CHMOD temporarly)
7. Change the XOOPS db prefix from 'xoops' to your new one.
8. Save then Change your mainfile.php chmod back.

And your done

8
jdseymour
Re: Paid Security Help - Xoops, Protector, and more

Quote:

unhardcore wrote:
You should ask your host to edit the default php.ini file to change these if they dont let you change it yourself.

Your host should have a default php.ini file that covers your whole website. If they dont then change hosts.


Problem is that the php.ini is for server wide settings (main one), if they make custom changes it may break another person's application.

I have found it is best to use VPS (Virtual Private Servers).

The prices have become quite close to that of shared hosting and you have full control over your server space.

Shared hosting has to be a little loose on the security side of things to provide service to the highest number of web applications.

9
BDW
Re: Paid Security Help - Xoops, Protector, and more
  • 2006/10/1 22:41

  • BDW

  • Quite a regular

  • Posts: 280

  • Since: 2002/9/28


Quote:

jdseymour wrote:

Problem is that the php.ini is for server wide settings (main one), if they make custom changes it may break another person's application.


I was actually talking about the default php.ini file that is (usually) supplied for your webspace. My hosts supply one and its edited within the control panel and using what i have said above works in it and works for all of my web space.

10
jdseymour
Re: Paid Security Help - Xoops, Protector, and more

I agree with you to a point. The problem (for me) with shared hosting is that all you need is one weak application running in someone elses webspace (as you say, actually shared space to the server) and the whole server can be compromised.

A VPS on the other hand is isolated, on it's own partition with it's own OS and settings. A weak application on another VPS on the same host server will have a much less chance of affecting your site.

Login

Who's Online

237 user(s) are online (149 user(s) are browsing Support Forums)


Members: 0


Guests: 237


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Mar 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits