Subject: Check the security!

Posted on: 07/08/11 04:13am
By: Zippo

1. "public_html" should never be part of your site's URL. Please read the part about public_html in the installation instructions again and change your setup accordingly before you proceed. (As far I know, the geeklog installation creates this folder?!?!?!?)

2. Your db-config.php is reachable from the web. This is a security risk and should be fixed!

3. Your logs directory is reachable from the web. This is a security risk and should be fixed!
Your plugins directory is reachable from the web. This is a security risk and should be fixed!
Your system directory is reachable from the web. This is a security risk and should be fixed!
Your backups directory is reachable from the web. This is a security risk and should be fixed!
Your data directory is reachable from the web. This is a security risk and should be fixed!

How do I get rid of these?

Re: Check the security!

Posted on: 07/08/11 05:04am
By: Dirk

Quote by: Zippo

1. "public_html" should never be part of your site's URL. Please read the part about public_html in the installation instructions again and change your setup accordingly before you proceed. (As far I know, the geeklog installation creates this folder?!?!?!?)


No, the installer does not create this directory. "public_html" is an often-used name on webservers for the public web directory or document root. Other popular names are "htdocs" or "www".

As the installation instructions explain, the bits that are in public_html should go into your document root (whatever it is named on your server) - and only these files should be reachable from the web. The rest of the files should be placed somewhere outside of the document root so that they are not accessible from the web (i.e. you can not enter a URL into your browser to call up such a file). That's for security reasons.

If you can't install Geeklog like that, see Installing Geeklog entirely within the web root

bye, Dirk

Re: Check the security!

Posted on: 07/08/11 05:23am
By: Zippo

For the next version: PLEASE change the install script & documentation.
Because this time I followed the instructions precisely!
I only copied the files which should be copied there.
Maybe it is because I use an add-on domain?

What you are saying is:
That I have to re-install Geeklog for the third time ?

And what about the other numbers????
Better know this before I re-install...

Re: Check the security!

Posted on: 07/08/11 07:32am
By: Dirk

What would you suggest we change in the installation instructions? All this is explained there. If it's not clear, please tell us what you found confusing. Thanks.

The other items from your original post are just a result of that basic mistake of putting files and directories where they shouldn't be.

bye, Dirk

Re: Check the security!

Posted on: 07/08/11 07:37am
By: Zippo

4. Place the contents of geeklog-1.8.0/public_html/ into your web root directory on your web server. The web root directory is often named "public_html", "htdocs", or "www".


This is EXACTLY what I have done and which is a security riskaccording you and GeekLog

So: Who's right? The installation text Or the security check?

Please fix one of them!


Re: Check the security!

Posted on: 07/08/11 07:52am
By: Zippo

Quote by: Dirk



The other items from your original post are just a result of that basic mistake of putting files and directories where they shouldn't be.

bye, Dirk




Confused: Ehhh...
A. Where should I put them?? Closer to my webroot I cannot put them.
B. I do not see any public_html here.....

2. is in:
http://kom.ninanauk.net/db-config.php

3. is in:
http://kom.ninanauk.net/logs
http://kom.ninanauk.net/plugins
http://kom.ninanauk.net/system
http://kom.ninanauk.net/backups
http://kom.ninanauk.net/data





P.S.: http://kom.ninanauk.net is a redirection of http://www.ninanauk.net/kom


kom



Re: Check the security!

Posted on: 07/08/11 07:54am
By: Dirk

So what's the name of the document root on your webserver? The idea is that whatever that directory's name is, you should place the contents of Geeklog's public_html into it.

Creating a public_html directory is - in most cases - the wrong thing to do (unless you can change the document root in your server setup such that it points to public_html).

Does that help?

bye, Dirk

Re: Check the security!

Posted on: 07/08/11 07:56am
By: Dirk

Quote by: Zippo

A. Where should I put them?? Closer to my webroot I cannot put them.
B. I do not see any public_html here.....

2. is in:
http://kom.ninanauk.net/db-config.php


Sounds like you should follow the advice from the FAQ article I mentioned above then and put all the "other stuff" (everything that's not in public_html) in a password-protected directory: Installing Geeklog entirely within the web root.

bye, Dirk

Re: Check the security!

Posted on: 07/08/11 08:31am
By: Zippo

I try to place a sitemap in here... but it keeps me telling that I am spamming... but not telling me what I am really doing wrong or what to change.
I seem to keep bumping in issues which fail to explain what I am doing wrong.
(I tried to put the sitemap in code but that does not work either)

My cpanel tells me he protected the folder, but I do not see a .htaccess and .htpassword file, so that seems not to work either


Re: Check the security!

Posted on: 07/08/11 08:46am
By: Zippo

I pointed the addon domain, directly to the public_html. That resolves a lot a safety issues....

Re: Check the security!

Posted on: 07/08/11 09:09am
By: ::Ben

I pointed the addon domain, directly to the public_html. That resolves a lot a safety issues....

but sensitive files are still accessible from the web...

Your web root is where your stored your index.htm page (with the cat picture).
What is his directory name?

Ben


Re: Check the security!

Posted on: 07/08/11 09:22am
By: Zippo

Nice try! Razz But no! Smile

http://www.ninanauk.net = The standard website of our cattery! (Let us say that it is my sponsor Wink ) Is the one you were.

http://kom.ninanauk.net/public_html = where the GeekLog index.php is located BUT

http://kom.ninanauk.net is now rerouted to -> http://kom.ninanauk.net/public_html

Geeklog - Forum
https://www.geeklog.net/forum/viewtopic.php?showtopic=93084