Vulnerability in Protector if placed in DocumentRoot

phppp  09-Jan-2009 09:24 14802 Reads   10 Comment(s) 
We've been made aware of a vulnerability of the Protector, if placed in the DocumentRoot

This is for all versions of XOOPS, if the XOOPS_TRUST_PATH (or xoops_lib) directory that contains the Protector, is placed in the DocumentRoot

As we've always communicated to you (e.g. in this article A Guide to Make your XOOPS Installation even more secure), the best solution is to place your xoops_lib folder outside of webroot path. You should also change the name of xoops_lib to something different, and modify the mainfile.php accordingly.

If you are not allowed to do so, add .htaccess to protect your Protector module:

order deny,allow 
 deny from all

The .htaccess should be placed in /xoops_lib or whatever the name of your XOOPS_TRUST_PATH is.

If .htaccess is not allowed or enabled on your server, turn off global_register on your server.

If you are not allowed to do any of the above, then the only solution is to remove Protector module from your server and wait for a complete fix of the module.

Of course, the best scenario would be to have clean and safe code. Unfortunately, we've missed this security bug, but we're working on the solution and will release it soon.

Rating 0/5
Rating: 0/5 (0 votes)
Voting is disabled!


Who's Online

208 user(s) are online (2 user(s) are browsing Publisher)

Members: 0

Guests: 208



Goal: $100.00
Due Date: Feb 29
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits