The Ultimate Weblog System

Resources

Getting started

Support

Development

Sections

Home

Geeklog (190)

Geeklog 2 (28)

Announcements (201)

Summer of Code (8)

Security (55)

Plugins (50)

Server (26)

Spam (10)

User Functions

Don't have an account yet? Sign up as a New User
Lost your password?

What's New

STORIES

No new stories

COMMENTS last 2 days

No new comments

TRACKBACKS last 2 days

No new trackback comments

NEW FILES last 14 days

LINKS last 2 weeks

No recent new links

Older Stories

Welcome to Geeklog
Friday, May 16 2008 @ 12:18 AM EDT

Don't forget to secure your installation

Wednesday, March 20 2002 @ 08:25 PM EST
Contributed by: efarmboy
Views: 2,485

Assuming that one has not implemented any WebServer based or file access security changes:

The default install of Geeklog does not secure the installation and will leave your admin/install/install.php file open for anyone to access. I Recommend a few things

Remove access rights to the directory

Change the name of the install directory

Configure webserver security - e.g. Use apache .htaccess

All of the above

Doing a little check before submitting this note, 50% of the sites I checked have open access to install.php. I debated about posting this, in case someone thinks this would be their idea of fun. Hopefully, it will be seen as a reminder to secure our installs - as anyone that has installed GL will know the default install path.

A recommendation would be for GL to include a install feature like Gallery that will secure all access and redirect anyone without proper authentication to the main page.

Cheers,
Blaine

What's Related

Story Options

Printable Story Format

Don't forget to secure your installation | 8 comments | Create New Account

The following comments are owned by whomever posted them. This site is not responsible for what they say.

Not exactly RTFM, but ...

Authored by: Dirk on Thursday, March 21 2002 @ 12:26 AM EST

Just wanted to point out that after the install went through you are reminded to secure your installation directory. /path/to/geeklog/public_html/admin/install/success.php says:

WARNING: Before you do anything else you need to make sure that /path/to/geeklog/admin/install/install.php can not be executed by the webserver otherwise someone could do damage to your new Geeklog installation. Either change the file permissions so it can't be executed OR move the file someplace outside your web tree.

But I guess not everyone is reading this passage carefully or forgets to do as instructed over the excitement of having Geeklog up and running ...

bye, Dirk

Thanks

Authored by: Anonymous on Thursday, March 21 2002 @ 06:40 AM EST

Hi,

Thanks for reminding us... I had my install dir wide open.

Grtx,
Bas

What I do

Authored by: Matty on Thursday, March 21 2002 @ 06:47 AM EST

Maybe I\'m paranoid, but I prefer not to just change the permissions. I always do a \"shred -fu install.php\". Am I missing something, or is there a reason for keeping it after the install is performed?

Well, here\'s an idea...

Authored by: Tony on Thursday, March 21 2002 @ 09:36 AM EST

I think with the next release I will do this. After the installation is complete, I will set a flag in the vars table that denotes that the installation script is disabled. To re-run the installation script, you will need to update that flag via the DB first. I will modify the script to double check that flag before proceeding. If lib-database.php can\'t be found then I\'ll assume the database doesn\'t exist and let them proceed.

How\'s that sound?

-----
The reason people blame things on previous generations is that there\'s only one other choice.

Well, here\'s an idea...

Authored by: efarmboy on Saturday, March 23 2002 @ 11:46 AM EST

Tony,

This sounds like a good safety check to have and provides you with another control mechanism within your install program logic - should the script be run more then once.

I\'ve not tried running the install.php since I came up and don\'t want to try considering all is fine. I just modify the config.php file as required.

What controls are place now in install.php should you re-run it - and would you run it to modify config settings?

On another note: I have used a .htaccess file in my geeklog root directoty which contains \"IndexIgnore *\" This is working fine - except I noticed the \"Admin Home\" link in the template thtml files only specify the directory instead of the full path to admin/index.php. With IndexIgnore on, it can\'t list the directory. I have modified ALL my template files for each module to specify the full filename, but I don\'t like this as it means a lot of rework possibly on upgrades.

Can you consider specifying the full path/filename.

Thanks,
Blaine

Don\'t forget the other Admin accounts ...

Authored by: Dirk on Saturday, March 30 2002 @ 02:35 AM EST

As a reminder: Don't forget to change the passwords for the other Admin accounts (StoryAdmin, etc.), too. Or, if you don't need these accounts, delete them.

bye, Dirk (who just found a Geeklog site where he could log in as StoryAdmin with the default password ...)

Why keep the Install Directory?

Authored by: Anonymous on Saturday, April 20 2002 @ 02:56 PM EDT

Why not just delete it. In any other script - they tell you to delete the install directory. This completely prevents anyone from screwing up your site.

If for some reason - there is a need to keep it - please tell me. I looked at the 3 files in the directory and couldn\'t see what would continue to be utilized from the script. Just seems like an open invitation for hackers if you ask me.

Don\'t forget the other Admin accounts ...

Authored by: Anonymous on Saturday, May 04 2002 @ 03:54 PM EDT

If one goes about deleting the *Admin accounts, while keeping the *
Admin groups, will anything be affected in the default-install system?

Thanks,

Phil (pak1@cec.wustl.edu)