Vulnerability in Protector if placed in DocumentRoot
Category : Security
Published by phppp on 09-Jan-2009 09:24
We've been made aware of a vulnerability of the Protector, if placed in the DocumentRoot
This is for all versions of XOOPS, if the XOOPS_TRUST_PATH (or xoops_lib) directory that contains the Protector, is placed in the DocumentRoot
As we've always communicated to you (e.g. in this article A Guide to Make your XOOPS Installation even more secure), the best solution is to place your xoops_lib folder outside of webroot path. You should also change the name of xoops_lib to something different, and modify the mainfile.php accordingly.
If you are not allowed to do so, add .htaccess to protect your Protector module:
The .htaccess should be placed in /xoops_lib or whatever the name of your XOOPS_TRUST_PATH is.
If .htaccess is not allowed or enabled on your server, turn off global_register on your server.
If you are not allowed to do any of the above, then the only solution is to remove Protector module from your server and wait for a complete fix of the module.
Of course, the best scenario would be to have clean and safe code. Unfortunately, we've missed this security bug, but we're working on the solution and will release it soon.
This is for all versions of XOOPS, if the XOOPS_TRUST_PATH (or xoops_lib) directory that contains the Protector, is placed in the DocumentRoot
As we've always communicated to you (e.g. in this article A Guide to Make your XOOPS Installation even more secure), the best solution is to place your xoops_lib folder outside of webroot path. You should also change the name of xoops_lib to something different, and modify the mainfile.php accordingly.
If you are not allowed to do so, add .htaccess to protect your Protector module:
order deny,allow
deny from all
The .htaccess should be placed in /xoops_lib or whatever the name of your XOOPS_TRUST_PATH is.
If .htaccess is not allowed or enabled on your server, turn off global_register on your server.
If you are not allowed to do any of the above, then the only solution is to remove Protector module from your server and wait for a complete fix of the module.
Of course, the best scenario would be to have clean and safe code. Unfortunately, we've missed this security bug, but we're working on the solution and will release it soon.