Welcome to Geeklog, Anonymous Thursday, March 28 2024 @ 04:58 pm EDT

Geeklog Forums

Security Check Error


Status: offline

1PLM

Forum User
Chatty
Registered: 07/11/08
Posts: 39
I have an old site with Geeklog 1.6 installed. At the time of Install I copied the Contents of Public_html into the same directory (root) as the rest of the Geeklog files. I just ran a site security check from the ADMIN Panel, and I got the following Security update info about my site. Is the message generated because of all the Geeklog files I put in the root directory? If not- How do I correct the error Or it is NOT an error at all? Thanks. Below is the Message:

Results of the Security Check

Good! You seem to have removed the install directory already.
Your db-config.php is reachable from the web.
This is a security risk and should be fixed!
Good! Your logs directory is not reachable from the web.
Good! Your plugins directory is not reachable from the web.
Your system directory is reachable from the web.
This is a security risk and should be fixed!
Your backups directory is reachable from the web.
This is a security risk and should be fixed!
Your data directory is reachable from the web.
This is a security risk and should be fixed!
Good! You seem to have changed the default account password already.
Please fix the above issues before using your site!
 Quote

Status: offline

Roccivic

Forum User
Moderator
Registered: 05/19/10
Posts: 136
This is not really an error, it's a warning about a security risk. If you leave the site as it is, someone may be able to easily hack it.

The problem is that you put all the files into a directory that can be reached from the internet via the http protocol. Things may differ between hosting providers, but generally you would get a folder that can be accessed via ftp, but not via http. For example, on my web server the root ftp folder is not accessible from the web, so this is where I would place my geeklog install.
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
What Roccivic said ...

If you can't put files outside of your webroot, then our recommendation is to have all those files inside a password-protected directory.

In your case, you could password-protect some of the directories (the ones you get warnings for), but your db-config.php would still be accessible. It's not an immediate problem as long as the server is configured correctly but not really recommended.

bye, Dirk
 Quote

Status: offline

1PLM

Forum User
Chatty
Registered: 07/11/08
Posts: 39
When I tried accessing the folders via http it denies access."Forbidden You don't have permission to access /system/ on this server." and same for the other files.
However,do I create a Directory and CHMOD it 755 for permissions and then put the aforementioned files into it? How then will they be located by the Index.php and other files looking for them in the root directory? Does Geeklog install not recommend we put the contents of public_html in the root directory with/alongside the other files and folders? Thanks.
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
There's no index.php or index.html in "system", so that's why you're getting that message. Try the name of an existing file, e.g. system/lib-custom.php

As explained in the installation instructions, Geeklog consists of two parts: The one that goes into public_html (or equivalent) and is meant to be reachable by typing URLs into a browser. And the other (including system, db-config.php, etc.) that should not be accessible from the web.

Geeklog's configuration has two path variables that point to these two parts, $_CONF['path_html'] for the former and $_CONF['path'] for the latter. If both are set correctly, the site will work just fine, no matter where those two parts are located.

The safest (and recommended) solution is to put the "secret" parts outside of the webroot, so that they can never be reached from the web. If that's not possible, e.g. due to restrictions imposed by your web hoster, then the second-best option is the one decribed in the FAQ (see above), i.e. put all that stuff in a password-protected directory. Geeklog will read those files via the file system, not the web, so the password protection will keep visitors from accessing the files while Geeklog itself can access them just fine.

bye, Dirk
 Quote

Status: offline

1PLM

Forum User
Chatty
Registered: 07/11/08
Posts: 39
Thanks. This is very beneficial and insightful.
 Quote

All times are EDT. The time is now 04:58 pm.

  • Normal Topic
  • Sticky Topic
  • Locked Topic
  • New Post
  • Sticky Topic W/ New Post
  • Locked Topic W/ New Post
  •  View Anonymous Posts
  •  Able to post
  •  Filtered HTML Allowed
  •  Censored Content