Welcome to Geeklog, Anonymous Thursday, March 28 2024 @ 07:58 pm EDT

Geeklog Forums

fantastico installations insecure


Status: offline

Imaginate

Forum User
Chatty
Registered: 12/03/03
Posts: 41
Hello I have a number of installations of geeklog that were done by a fantastico script. It seems the system directory and plugins directory are all in the root directory. What are the steps I need to take to secure these installations?

Also are older installations like GeekLog v1.3.9 less vulnerable to attacks because they dont have the fckeditor in them?

 Quote

Status: offline

jmucchiello

Forum User
Full Member
Registered: 08/29/05
Posts: 985
No script ever gets it 100% right. You are better off doing it by hand no matter how torturous the cpanel (or similar) interface may be. Geeklog's directory layout has not changed in quite a while.

You need to protect all the directories not in the public_html directory: backups, data, language, logs, plugins, sql and system. Simplest method for this is probably to add password protection to the directory through an .htaccess or .htpasswd file. (Assuming your webhost is using Apache.)
 Quote

Status: offline

Imaginate

Forum User
Chatty
Registered: 12/03/03
Posts: 41
Fantastico installs all the folders into one directory.... so should I take those folders you mentioned and place them in a new password protected directory that i create myself? and will I have to change any paths in the config.php file?

 Quote

Status: offline

1000ideen

Forum User
Full Member
Registered: 08/04/03
Posts: 1298
Maybe compare here: http://www.geeklog.net/faqman/index.php?op=view&t=56

You could make 1 new directory below public_html like public_html/geeksystem/ and password protect it from cpanel. Now it is a little difficult to explain what files to move in there.

As Geeklog is already running you need to change the paths in the config.php ($_CONF['path'] ) and in the lib-common.php (require_once). Unfortunately you will have to understand what the absolut path is if you do this.

I wonder if it would be secure enough to move only the config.php into the new subdir public_html/geeksystem/ and password protect it ? that would be easier for fantastico users.
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Quote by 1000ideen: I wonder if it would be secure enough to move only the config.php into the new subdir public_html/geeksystem/ and password protect it ? that would be easier for fantastico users.

I would actually worry more about the directories than about config.php. The backups directory invites anyone to download database backup (if they can guess or somehow find out the file name), the systems and plugins directories may contain files that could be used for spamming or even hacking your site, ... config.php is only at risk in case of a server misconfiguration.

bye, Dirk
 Quote

Status: offline

Imaginate

Forum User
Chatty
Registered: 12/03/03
Posts: 41
hey that was very simple to secure... just moving the folders and resetting the paths.. not complicated at all.

Is there any reason to upgrade to the lastest version or is 1.39 secure enough?

 Quote

Status: offline

jmucchiello

Forum User
Full Member
Registered: 08/29/05
Posts: 985
As Dirk has said in many other posts, 1.3.9 has known security issues and is no longer supported. This is another reason why you should do your own install. If you learn how to install it, you will understand how to upgrade it later when there are new security patches or future features that you want.
 Quote

All times are EDT. The time is now 07:58 pm.

  • Normal Topic
  • Sticky Topic
  • Locked Topic
  • New Post
  • Sticky Topic W/ New Post
  • Locked Topic W/ New Post
  •  View Anonymous Posts
  •  Able to post
  •  Filtered HTML Allowed
  •  Censored Content