Security: Vulnerability in Protector if placed in DocumentRoot

Posted by: phpppOn 2009/1/9 9:30:00 16815 reads
We've been made aware of a vulnerability of the Protector, if placed in the DocumentRoot

This is for all versions of XOOPS, if the XOOPS_TRUST_PATH (or xoops_lib) directory that contains the Protector, is placed in the DocumentRoot

As we've always communicated to you (e.g. in this article A Guide to Make your XOOPS Installation even more secure), the best solution is to place your xoops_lib folder outside of webroot path. You should also change the name of xoops_lib to something different, and modify the mainfile.php accordingly.

If you are not allowed to do so, add .htaccess to protect your Protector module:

order deny,allow 
 deny from all

The .htaccess should be placed in /xoops_lib or whatever the name of your XOOPS_TRUST_PATH is.

If .htaccess is not allowed or enabled on your server, turn off global_register on your server.

If you are not allowed to do any of the above, then the only solution is to remove Protector module from your server and wait for a complete fix of the module.

Of course, the best scenario would be to have clean and safe code. Unfortunately, we've missed this security bug, but we're working on the solution and will release it soon.