I have a couple of Protector module security advisories I am not sure how to resolve.
ITEM 1'allow_url_fopen' : on Not secure
This setting allows attackers to execute arbitrary scripts on remote servers.
Only administrator can change this option.
If you are an admin, edit php.ini or httpd.conf.
Sample of httpd.conf:
php_admin_flag allow_url_fopen off
Else, claim it to your administrators.
I edited my php.ini (php5.1.6) I found
allow_url_fopen and turned it OFF but I do not have an entry for
php_admin_flag and the security advisory still reports this as Not Secure
ITEM 2'mainfile.php' : missing precheck Not secure
You should edit your mainfile.php like written in README.
The instructions do not say where to paste the code in the mailfile.php and if the code brackets should be included. I tried it without the code brackets and got an error and had to use the rescue.php to get back in.
After XOOPS Protector is installed, edit your mainfile.php like this:
define('XOOPS_GROUP_ADMIN', '1');
define('XOOPS_GROUP_USERS', '2');
define('XOOPS_GROUP_ANONYMOUS', '3');
[color=ff0000]include( XOOPS_ROOT_PATH . '/modules/protector/include/precheck.inc.php' ) ;[/color]
if (!isset($xoopsOption['nocommon']) [color=0000ff]&& XOOPS_ROOT_PATH != ''[/color] ) {
include XOOPS_ROOT_PATH."/include/common.php";
}
[color=ff0000]include( XOOPS_ROOT_PATH . '/modules/protector/include/postcheck.inc.php' ) ;[/color]
Thanks - technobia
