Subject: fantastico installations insecure

Posted on: 20/10/06 12:57am
By: Imaginate

Hello I have a number of installations of geeklog that were done by a fantastico script. It seems the system directory and plugins directory are all in the root directory. What are the steps I need to take to secure these installations?

Also are older installations like GeekLog v1.3.9 less vulnerable to attacks because they dont have the fckeditor in them?


fantastico installations insecure

Posted on: 20/10/06 01:40am
By: jmucchiello

No script ever gets it 100% right. You are better off doing it by hand no matter how torturous the cpanel (or similar) interface may be. Geeklog's directory layout has not changed in quite a while.

You need to protect all the directories not in the public_html directory: backups, data, language, logs, plugins, sql and system. Simplest method for this is probably to add password protection to the directory through an .htaccess or .htpasswd file. (Assuming your webhost is using Apache.)

fantastico installations insecure

Posted on: 20/10/06 01:56am
By: Imaginate

Fantastico installs all the folders into one directory.... so should I take those folders you mentioned and place them in a new password protected directory that i create myself? and will I have to change any paths in the config.php file?


fantastico installations insecure

Posted on: 20/10/06 08:46am
By: 1000ideen

Maybe compare here: http://www.geeklog.net/faqman/index.php?op=view&t=56

You could make 1 new directory below public_html like public_html/geeksystem/ and password protect it from cpanel. Now it is a little difficult to explain what files to move in there.

As Geeklog is already running you need to change the paths in the config.php ($_CONF['path'] ) and in the lib-common.php (require_once). Unfortunately you will have to understand what the absolut path is if you do this.

I wonder if it would be secure enough to move only the config.php into the new subdir public_html/geeksystem/ and password protect it ? that would be easier for fantastico users.

fantastico installations insecure

Posted on: 20/10/06 01:55pm
By: Dirk

[QUOTE BY= 1000ideen] I wonder if it would be secure enough to move only the config.php into the new subdir public_html/geeksystem/ and password protect it ? that would be easier for fantastico users.[/QUOTE]
I would actually worry more about the directories than about config.php. The backups directory invites anyone to download database backup (if they can guess or somehow find out the file name), the systems and plugins directories may contain files that could be used for spamming or even hacking your site, ... config.php is only at risk in case of a server misconfiguration.

bye, Dirk

fantastico installations insecure

Posted on: 20/10/06 06:19pm
By: Imaginate

hey that was very simple to secure... just moving the folders and resetting the paths.. not complicated at all.

Is there any reason to upgrade to the lastest version or is 1.39 secure enough?


fantastico installations insecure

Posted on: 20/10/06 07:50pm
By: jmucchiello

As Dirk has said in many other posts, 1.3.9 has known security issues and is no longer supported. This is another reason why you should do your own install. If you learn how to install it, you will understand how to upgrade it later when there are new security patches or future features that you want.

Geeklog - Forum
https://www.geeklog.net/forum/viewtopic.php?showtopic=71191