XOOPS 
Forum
Forum Index General Forums Community Support Modules Support Themes Support Development International Support Module Hack Reviews Theme Designer Talk
  1. Board index / 
  2. XOOPS Community Support forums / 
  3. XOOPS general usage questions 
  4.  / XOOPS security and php settings
Register
1
peterr
XOOPS security and php settings

  • 2008/4/24 1:29

  • peterr

  • Just can't stay away

  • Posts: 518

  • Since: 2004/8/5 9


The server environment is

Quote:

Apache version 2.0.63
PERL version 5.8.8
PHP version 5.2.5
MySQL version 5.0.45-community


There may be some official XOOPS guidlines on security, however I could not find it. In particular, what php settings are recommended ?

This is what is currently used in the .htaccess of an XOOPS site.

# XOOPS security measures
php_flag session.use_only_cookies on
php_flag session.use_trans_sid off
# Protector module
php_flag register_globals off
php_flag allow_url_fopen off
# php errors
php_value display_errors 0
php_value log_errors 1
php_value error_log ../phperrorspathname/phperrorlogname.txt


Please advise of any changes/additions. Please keep in mind, that since PHP 5.1.0 , the 'need' for alow_url-fopen to be "off" may be redundant, by the addition of a new directive, called allow_url_include - (seehttp://www.webmasterworld.com/forum88/10940.htm)

Some default configuration values athttp://www.php.net/manual/en/filesystem.configuration.php
NO to the Microsoft Office format as an ISO standard.
Sign the petition
2
hervet
Re: XOOPS security and php settings

  • 2008/4/26 17:22

  • hervet

  • Friend of XOOPS

  • Posts: 2267

  • Since: 2003/11/4


It seems ok for me.
Don't forget to secure your database too.
3
peterr
Re: XOOPS security and php settings

  • 2008/5/3 7:17

  • peterr

  • Just can't stay away

  • Posts: 518

  • Since: 2004/8/5 9


Quote:

hervet wrote:
It seems ok for me.
Don't forget to secure your database too.


Thanks. Yes, the db is okay, I use Protector.

It was going to be way too much to define the php values in a php.ini, because we would need one in every path that had, at least an 'include' or 'require' in the php code. I did a quick glance, and counted no less than 78 paths that would need a modified php file, ...... no thanks, what a maintenance nightmare.

Fortunately, the server admin person was kind enough to modify the server wide php settings for me, as _most_ of those required by XOOPS and Protector are set correctly anyway.

The only one that isn't set (off) is allow_url_fopen , however the point raised in the first post is an issue, that is, the real need to have this set off. Also, server security is such that people who are trying exploits on the site, and trying to pass a remote file (by include "http" and the filename in the uri), are getting nowhere at all, they get a 403 or a 404.

In the process of reading some docs on suPHP, we found out that in php 5.3 , the use of .htaccess will again be available, at least, that's the way I read it.
NO to the Microsoft Office format as an ISO standard.
Sign the petition
4
rpilney
Re: XOOPS security and php settings

  • 2008/7/30 4:54

  • rpilney

  • Just popping in

  • Posts: 76

  • Since: 2006/1/25


my site got hit with a php/ms06-014!exploit

it wrote code in the index.php file on line 46

there was info in there that I am not sure I am supposd to repost here so I wont but when users came to the site it would state that the site either had the above exploit using CA or a trojan using another anti virus program.

the file size changed to 3k


not sure what other files might have been messed with. I did not see any other files or folders that were changed on or near the date of that index.php file.

using XOOPS 2.0.18.1 with protector.


FYI
5
peterr
Re: XOOPS security and php settings

  • 2008/7/30 6:15

  • peterr

  • Just can't stay away

  • Posts: 518

  • Since: 2004/8/5 9


Quote:

rpilney wrote:
my site got hit with a php/ms06-014!exploit

it wrote code in the index.php file on line 46

there was info in there that I am not sure I am supposd to repost here so I wont but when users came to the site it would state that the site either had the above exploit using CA or a trojan using another anti virus program.

the file size changed to 3k

not sure what other files might have been messed with. I did not see any other files or folders that were changed on or near the date of that index.php file.

using XOOPS 2.0.18.1 with protector.


Might be best to PM the details to Mamba
NO to the Microsoft Office format as an ISO standard.
Sign the petition
6
Mamba
Re: XOOPS security and php settings

  • 2008/7/30 6:22

  • Mamba

  • Moderator

  • Posts: 11366

  • Since: 2004/4/23


Quote:
my site got hit with a php/ms06-014!exploit

Sorry to hear it!

However, if I understand correctly from this Microsoft report, they entered through MDAC (Microsoft Data Access Components), and once inside, they did stuff to whatever was on the computer - could be XOOPS, or it could be Joomla as shown over here

As stated on McAfee here:
Quote:

Indications of Infection:
Internet Explorer may execute arbitrary code or crash upon exploitation. Any number of subsequent actions may be taken by the malware.

Method of Infection:
Users may be lured (such as through spam or spim) to visit a malicious site. Upon loading the web page, a vulnerable web browser will execute the payload.

I guess, Firefox doesn't have problems with that. Also, on Firefox, I suggest to use WOT extensions, which links to WOT (Web of Trust), to show if there are any known issues with the Website that you're visiting.

I hope, you'll be able to clean up your Website soon.

And feel free to PM me the info they left.
Support XOOPS => DONATE
Use 2.5.10 | Docs | Modules | Bugs
7
peterr
Re: XOOPS security and php settings

  • 2010/2/18 12:39

  • peterr

  • Just can't stay away

  • Posts: 518

  • Since: 2004/8/5 9


Is "session.use_only_cookies on" essential for either XOOPS or Protector ?
8
peterr
Re: XOOPS security and php settings

  • 2010/2/26 12:12

  • peterr

  • Just can't stay away

  • Posts: 518

  • Since: 2004/8/5 9


Quote:

peterr wrote:
Is "session.use_only_cookies on" essential for either XOOPS or Protector ?


Anyone ??

Pete

Login

Register now!  |  Lost Password?

Search

Advanced Search

Recent Posts

Who's Online

158 user(s) are online (103 user(s) are browsing Support Forums)

Members: 0

Guests: 158

more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Apr 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits