This all seems so nostalgic... I could swear this has been discussed and ignored before.
@vaughn, hilarious.
the new password branch in svn uses 2 salts to hash the password with and then the final password +2salts is hashed using sha256.
it's basicly (broken down)
Good idea. Suggest also adding a password salt to make hash cracking more difficult when users choose a weak password, as no hash algorithm can protect against dictionary attacks.
I looked into this for xoops a while back. I could be (badly) wrong, but it looked like a new algorithm could be substituted in directly without any large code changes. The main issue was what alternative hashes are widely shipped with php.
The salt could be set in the installer, and also shouldn't require much changes beyond that.
i just provided an online demonstration of an exploit in xtorrent module to it's author.
in the demonstration i obtained his admin uname, password hash & email address.
scarey? well not as scarey as the fact it took 2 seconds, yes 2 seconds to decrypt the md5 hash back to plaintext.
i then logged in using the decrypted plaintext pass.
i created a custom block from admin, with info of the demo.
http://www.unseen.org.au/
i have not done anything serious to the site, and the owner does now accept that sql injection is a major cause for concern. & he is aware of my access.
really if it took 2 seconds to decrypt the hash to plaintext and login, then we really need to push the new password encryption branch into 1.1 ASAP. in fact it's a security necessity..
Ok I see it now. We know what we are doing - that's important. Thanks
require '../../mainfile.php' is not dynamic. This string forces the script to look in the document root.
it would need to match your location.
in the case that you position your mainfile.php in your subroot
require '../mainfile.php'
in the case that your mainfile is in your trust_path
require XOOPS_TRUST_PATH '/mainfile.php'
etc., etc.
I am sure that GiJoe would encourage moving tha mainfile into the XOOPS_TRUST_PATH.
oops, this does not work for one php script of D3 modules': the "module_icon.php" under XOOPS_ROOT_PATH/modules/<d3_instance_name>/ . As of it, D3 instance images (module_icon.png) will not show up.
Note: module_icon.png is dynamically created by module_icon.php (using gd). The module_icon.php reads
Very clear now. Thanks
If there's a certain type of server problem - which disables php running as code - then the variables of mainfile.php can be visible.
This way - the values are not as easily available in the event of this problem happening.
Thanks Will.
What is the advantage of this to the solution of the current icms installer that move away MySQL info from mainfile.php? (I believe it's credited to xoops-tips.com)
Definately a good idea to look at for 1.1.
Just to inform you all.
Today I found the entries as shown in the pictures below in my 'log' (Php-Stats).
I've blocked all 3 IP's but will probably block the whole IP-ranges from Turkey soon. Note that 1 IP belongs to Amazone...
I am glad I got Protector installed.
For sure that more XOOPS websites are under attack at the moment.
I almost forgot.
I set chmod permissions on the trust_path and mainfile_path folders to 750 just like public.
As far as permissions for owner and groups on the two folders outside of public. I set those to the account.account
Then all three of the mainfiles are set to 444.
I do need to check with the host about the 444. They might want to keep the chmod 644 like the rest of files...
I 'll post back if thats what they recommend.
Now that was a killer post dude! Perfect...
I now have a trust path and a different mainfile path out side of public. This install is the tightest I have ever been able to get this software. I feel like a proud poppa...
Ty Will
This isn't a web accessible folder, and if you are seriously worried about your trust path... hide it.
how?
Easy make a duplicate of your mainfile.php and hide it below your root folder.
Open public_html/mainfile.php
and replace it with the folowing.
Hello, I just installed the impresscms_1.0_rc.tar.gz for the first time. On a server running php with a handler called suphp.
My question is related to the trust_path of impress and the correct permissions the folder needs to be set at.
All the impress files are chmod 644 and folders are chmod 755 inside of the public_html directory. Except for the mainfile which is set to chmod 444
Also in order for the cms to work the owner and group permissions need to be set as well. This is called chown in the server management world.
The layout of those are
chown account.account -R /home/account/public_html/
This gives all files and folders a setting of
owner = account & group = account
and
chown account.nobody /home/account/public_html/
Make sure your public_html folder is set to
owner = account & group = nobody
-----
Like I said above this post is related to the impress trust_path folder.
So what would be the correct permission for this folder to have the most secure environment possible? Meaning what should the chmod, owner and group be set to prevent hackers?
Thanks for your time...
Regards
Installing impresscms on a server with the suphp handler enabled.
_______________________________________
Using Putty or WinScp Custom Commands (chmod)
Logged in under root or accountname
-----
Warning:
cd to/correct/dir/first
#1
chmod -R 755 *
Changes all files and folders to 755 First
All I do is right click public_html and run from winscp
You can paste in winscp custom command and check the remote command box. Save it
#2
find -type f -print0|xargs -0 chmod 644
Searches for all non-folders and chmod them 644
All I do is right click public_html and run from winscp
You can paste in winscp custom command and check the remote command box. Save it
______________________________________
Using Putty Only from Root (chown)
-----
chown account.account -R /home/account/public_html/
chown account.nobody /home/account/public_html/
______________________________________
Last step go back and make sure your public_html folder is still set at default.
chmod 750
______________________________________
Server security is the name of the game.
I will be posting a little later about setting up your trust_path in impresscms. These are pretty tight settings. So it should be interesting.
I have tested and tested this every way I can think of. Root and account owner makes no difference. impresscms.tar.gz all files and folders are 775 uncompressed. Xoops.tar.gz all file and folders are 777 uncompressed.
What is used to make these releases?
Quote:
Dave_L wrote:
Files in a .tar.gz always have permissions. When extracting the contents of a .tar.gz, I think it works like this:
If the current user is root, the permissions are preserved. If the current user is not root, the permissions are overridden by the umask setting. tar has options for modifying this behavior.
Of course, this only applies to Linux.