Welcome to Geeklog, Anonymous Sunday, December 22 2024 @ 11:49 am EST
Geeklog Forums
Security test , what to do about it?
Status: offline
guganbl
Forum User
Chatty
Registered: 05/12/07
Posts: 57
1. "public_html" should never be part of your site's URL. Please read the part about public_html in the installation instructions again and change your setup accordingly before you proceed.
2. Good! You seem to have removed the install directory already.
3. Your config.php is reachable from the web.
This is a security risk and should be fixed!
4. Your logs directory is reachable from the web.
This is a security risk and should be fixed!
5. Your plugins directory is reachable from the web.
This is a security risk and should be fixed!
6. Your system directory is reachable from the web.
This is a security risk and should be fixed!
7. Your data directory is reachable from the web.
This is a security risk and should be fixed!
8. Good! You seem to have changed the default account password already.
This is reported by gl 1.41 internal security test.
This is my 4.th post with question today but there is so many things that i dont know....
I tryed to change permisions on files thru ftp, but nothing happens, it is stil the same test message.
So direct question how do i make config.php and other directories non rechable from the web?
Thanx for your time people and i‚m sorry for being menace today
When i figure all this things oui‚l be able to help somebody who is :banghead: like me these 2 days.
10
11
Quote
Status: offline
jmucchiello
Forum User
Full Member
Registered: 08/29/05
Posts: 985
Did you setup the files yourself or did you use an installer provided by your webhost (like fantastico)?
8
7
Quote
Status: offline
Dirk
Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Quote by: guganbl
So direct question how do i make config.php and other directories non rechable from the web?
There's a link to the documentation in the first of these messages. And from there, you'll find another link to our FAQ. These should cover all the usual setups and how to secure them.
bye, Dirk
7
9
Quote
Status: offline
guganbl
Forum User
Chatty
Registered: 05/12/07
Posts: 57
Ok i made it , now security check is ok except it still reports that config.php is visible from the world, but i changed permissions , only owner can read and write to it, so i dont know where i‚m making mistake. permissions are set to 600 . I dont get this, it worked on rest of folders and files that were vissible.....
9
10
Quote
Status: offline
Dirk
Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Quote by: guganbl
permissions are set to 600
You have to understand the difference between permissions on the file system and permissions to view files / directories from the web.
"600" means that the owner of the file (on the file system) has read and write access. That owner, however, is your webserver. So if that file is then in the (public) webroot, and you don't tell the webserver not to serve it, it will happily display it for anyone requesting it from their browser.
For some files, like the config.php, your webserver will still need read access (on the file system), so that it can be read from PHP. Under no circumstances, however, should this file be allowed to be requested from a browser (i.e. via an HTTP request from the web).
So you need to instruct your webserver to deny requests to that file. That's usually done (assuming an Apache webserver) in a .htaccess file.
bye, Dirk
9
7
Quote
Status: offline
guganbl
Forum User
Chatty
Registered: 05/12/07
Posts: 57
heh, that is why that file called htaccess is in my root dir. I was always wondering what is it doing
Thanx Dirk , now i have learnd something. I opened this file but i dont understand anything.
# -FrontPage-
IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*
<Limit GET POST>
order deny,allow
deny from all
allow from all
</Limit>
<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>
# attempts to stop the Santy worm
RewriteEngine On
RewriteCond %{QUERY_STRING} ^(.*)wget%20 [OR]
RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [OR]
RewriteCond %{QUERY_STRING} ^(.*)esystem(.*) [OR]
RewriteCond %{QUERY_STRING} ^(.*)highlight=%2527 [OR]
RewriteCond %{HTTP_USER_AGENT} lwp-trivial [NC,OR]
RewriteCond %{HTTP_COOKIE}% s.*):%22test1%22%3b
RewriteRule ^.*$ http://127.0.0.1/ [L,R=301]
# Referrer spam :-(
RewriteCond %{HTTP_REFERER} ^http://.*hosting4u.gb.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://.*4free.gb.com.*$ [NC]
RewriteRule ^.*$ http://127.0.0.1/ [L,R=301]
ErrorDocument 404 /404.php
This is whats written inside, so how do i tell my webserver not to display config.php for exaple, and plugins folder ?
I dont understand thigs in this folder, so i would again need some help.
Thanx
Sasha
Thanx Dirk , now i have learnd something. I opened this file but i dont understand anything.
# -FrontPage-
IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*
<Limit GET POST>
order deny,allow
deny from all
allow from all
</Limit>
<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>
# attempts to stop the Santy worm
RewriteEngine On
RewriteCond %{QUERY_STRING} ^(.*)wget%20 [OR]
RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [OR]
RewriteCond %{QUERY_STRING} ^(.*)esystem(.*) [OR]
RewriteCond %{QUERY_STRING} ^(.*)highlight=%2527 [OR]
RewriteCond %{HTTP_USER_AGENT} lwp-trivial [NC,OR]
RewriteCond %{HTTP_COOKIE}% s.*):%22test1%22%3b
RewriteRule ^.*$ http://127.0.0.1/ [L,R=301]
# Referrer spam :-(
RewriteCond %{HTTP_REFERER} ^http://.*hosting4u.gb.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://.*4free.gb.com.*$ [NC]
RewriteRule ^.*$ http://127.0.0.1/ [L,R=301]
ErrorDocument 404 /404.php
This is whats written inside, so how do i tell my webserver not to display config.php for exaple, and plugins folder ?
I dont understand thigs in this folder, so i would again need some help.
Thanx
Sasha
9
10
Quote
Status: offline
Dirk
Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
There are lots of htaccess / Apache tutorials on the web (not to mention the Apache documentation itself), so I'd suggest you consult one of those if you want to understand how things work.
For now, try something like where the path is the bit in the URL after the domain name (not the path on the file system).
bye, Dirk
For now, try something like
Text Formatted Code
Redirect 403 /path/to/your/config.phpbye, Dirk
11
8
Quote
All times are EST. The time is now 11:49 am.
- Normal Topic
- Sticky Topic
- Locked Topic
- New Post
- Sticky Topic W/ New Post
- Locked Topic W/ New Post
- View Anonymous Posts
- Able to post
- Filtered HTML Allowed
- Censored Content