Geeklog Forums

1. "public_html" should never be part of your site's URL. Please read the part about public_html in the installation instructions again and change your setup accordingly before you proceed. 2. Good! You seem to have removed the install directory already. 3. Your config.php is reachable from the web. This is a security risk and should be fixed! 4. Your logs directory is reachable from the web. This is a security risk and should be fixed! 5. Your plugins directory is reachable from the web. This is a security risk and should be fixed! 6. Your system directory is reachable from the web. This is a security risk and should be fixed! 7. Your data directory is reachable from the web. This is a security risk and should be fixed! 8. Good! You seem to have changed the default account password already. This is reported by gl 1.41 internal security test. This is my 4.th post with question today but there is so many things that i dont know.... I tryed to change permisions on files thru ftp, but nothing happens, it is stil the same test message. So direct question how do i make config.php and other directories non rechable from the web? Thanx for your time people and i‚m sorry for being menace today When i figure all this things oui‚l be able to help somebody who is :banghead: like me these 2 days.

Did you setup the files yourself or did you use an installer provided by your webhost (like fantastico)?

There's a link to the documentation in the first of these messages. And from there, you'll find another link to our FAQ. These should cover all the usual setups and how to secure them.

bye, Dirk

one gl site i made setup myself, and other i used hosting service setup, but security test i reporting same thing on bouth of them.
Il go thru this docs that Dirk posted links to and i think i will figure it out

Ok i made it , now security check is ok except it still reports that config.php is visible from the world, but i changed permissions , only owner can read and write to it, so i dont know where i‚m making mistake. permissions are set to 600 . I dont get this, it worked on rest of folders and files that were vissible.....

You have to understand the difference between permissions on the file system and permissions to view files / directories from the web.

"600" means that the owner of the file (on the file system) has read and write access. That owner, however, is your webserver. So if that file is then in the (public) webroot, and you don't tell the webserver not to serve it, it will happily display it for anyone requesting it from their browser.

For some files, like the config.php, your webserver will still need read access (on the file system), so that it can be read from PHP. Under no circumstances, however, should this file be allowed to be requested from a browser (i.e. via an HTTP request from the web).

So you need to instruct your webserver to deny requests to that file. That's usually done (assuming an Apache webserver) in a .htaccess file.

bye, Dirk

heh, that is why that file called htaccess is in my root dir. I was always wondering what is it doing
Thanx Dirk , now i have learnd something. I opened this file but i dont understand anything.
# -FrontPage-

IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*

<Limit GET POST>
order deny,allow
deny from all
allow from all
</Limit>
<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>
# attempts to stop the Santy worm
RewriteEngine On
RewriteCond %{QUERY_STRING} ^(.*)wget%20 [OR]
RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [OR]
RewriteCond %{QUERY_STRING} ^(.*)esystem(.*) [OR]
RewriteCond %{QUERY_STRING} ^(.*)highlight=%2527 [OR]
RewriteCond %{HTTP_USER_AGENT} lwp-trivial [NC,OR]
RewriteCond %{HTTP_COOKIE}% s.*):%22test1%22%3b
RewriteRule ^.*$ http://127.0.0.1/ [L,R=301]
# Referrer spam :-(
RewriteCond %{HTTP_REFERER} ^http://.*hosting4u.gb.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://.*4free.gb.com.*$ [NC]
RewriteRule ^.*$ http://127.0.0.1/ [L,R=301]
ErrorDocument 404 /404.php
This is whats written inside, so how do i tell my webserver not to display config.php for exaple, and plugins folder ?
I dont understand thigs in this folder, so i would again need some help.
Thanx
Sasha

There are lots of htaccess / Apache tutorials on the web (not to mention the Apache documentation itself), so I'd suggest you consult one of those if you want to understand how things work.

For now, try something like where the path is the bit in the URL after the domain name (not the path on the file system).

bye, Dirk

Thanx Dirk, you helped mi much!
Now i dont have security warnings, it looks that everithing is ok, and i wouldn‚t make it without your help.
Sasha
:banana: