Welcome to Geeklog Wednesday, June 26 2019 @ 12:29 am EDT

Geeklog Forums

Check the security!


Status: offline

Zippo

Forum User
Chatty
Registered: 08/07/11
Posts: 53
1. "public_html" should never be part of your site's URL. Please read the part about public_html in the installation instructions again and change your setup accordingly before you proceed. (As far I know, the geeklog installation creates this folder?!?!?!?)

2. Your db-config.php is reachable from the web. This is a security risk and should be fixed!

3. Your logs directory is reachable from the web. This is a security risk and should be fixed!
Your plugins directory is reachable from the web. This is a security risk and should be fixed!
Your system directory is reachable from the web. This is a security risk and should be fixed!
Your backups directory is reachable from the web. This is a security risk and should be fixed!
Your data directory is reachable from the web. This is a security risk and should be fixed!

How do I get rid of these?

Status: offline

Dirk

Site Admin
Admin
Registered: 12/01/02
Posts: 13073
Location:Stuttgart, Germany
Quote by: Zippo

1. "public_html" should never be part of your site's URL. Please read the part about public_html in the installation instructions again and change your setup accordingly before you proceed. (As far I know, the geeklog installation creates this folder?!?!?!?)


No, the installer does not create this directory. "public_html" is an often-used name on webservers for the public web directory or document root. Other popular names are "htdocs" or "www".

As the installation instructions explain, the bits that are in public_html should go into your document root (whatever it is named on your server) - and only these files should be reachable from the web. The rest of the files should be placed somewhere outside of the document root so that they are not accessible from the web (i.e. you can not enter a URL into your browser to call up such a file). That's for security reasons.

If you can't install Geeklog like that, see Installing Geeklog entirely within the web root

bye, Dirk

Status: offline

Zippo

Forum User
Chatty
Registered: 08/07/11
Posts: 53
For the next version: PLEASE change the install script & documentation.
Because this time I followed the instructions precisely!
I only copied the files which should be copied there.
Maybe it is because I use an add-on domain?

What you are saying is:
That I have to re-install Geeklog for the third time ?

And what about the other numbers????
Better know this before I re-install...

Status: offline

Dirk

Site Admin
Admin
Registered: 12/01/02
Posts: 13073
Location:Stuttgart, Germany
What would you suggest we change in the installation instructions? All this is explained there. If it's not clear, please tell us what you found confusing. Thanks.

The other items from your original post are just a result of that basic mistake of putting files and directories where they shouldn't be.

bye, Dirk

Status: offline

Zippo

Forum User
Chatty
Registered: 08/07/11
Posts: 53
4. Place the contents of geeklog-1.8.0/public_html/ into your web root directory on your web server. The web root directory is often named "public_html", "htdocs", or "www".


This is EXACTLY what I have done and which is a security riskaccording you and GeekLog

So: Who's right? The installation text Or the security check?

Please fix one of them!


Status: offline

Zippo

Forum User
Chatty
Registered: 08/07/11
Posts: 53
Quote by: Dirk



The other items from your original post are just a result of that basic mistake of putting files and directories where they shouldn't be.

bye, Dirk




Confused: Ehhh...
A. Where should I put them?? Closer to my webroot I cannot put them.
B. I do not see any public_html here.....

2. is in:
http://kom.ninanauk.net/db-config.php

3. is in:
http://kom.ninanauk.net/logs
http://kom.ninanauk.net/plugins
http://kom.ninanauk.net/system
http://kom.ninanauk.net/backups
http://kom.ninanauk.net/data





P.S.: http://kom.ninanauk.net is a redirection of http://www.ninanauk.net/kom


kom



Status: offline

Dirk

Site Admin
Admin
Registered: 12/01/02
Posts: 13073
Location:Stuttgart, Germany
So what's the name of the document root on your webserver? The idea is that whatever that directory's name is, you should place the contents of Geeklog's public_html into it.

Creating a public_html directory is - in most cases - the wrong thing to do (unless you can change the document root in your server setup such that it points to public_html).

Does that help?

bye, Dirk

Status: offline

Dirk

Site Admin
Admin
Registered: 12/01/02
Posts: 13073
Location:Stuttgart, Germany
Quote by: Zippo

A. Where should I put them?? Closer to my webroot I cannot put them.
B. I do not see any public_html here.....

2. is in:
http://kom.ninanauk.net/db-config.php


Sounds like you should follow the advice from the FAQ article I mentioned above then and put all the "other stuff" (everything that's not in public_html) in a password-protected directory: Installing Geeklog entirely within the web root.

bye, Dirk

Status: offline

Zippo

Forum User
Chatty
Registered: 08/07/11
Posts: 53
I try to place a sitemap in here... but it keeps me telling that I am spamming... but not telling me what I am really doing wrong or what to change.
I seem to keep bumping in issues which fail to explain what I am doing wrong.
(I tried to put the sitemap in code but that does not work either)

My cpanel tells me he protected the folder, but I do not see a .htaccess and .htpassword file, so that seems not to work either


Status: offline

Zippo

Forum User
Chatty
Registered: 08/07/11
Posts: 53
I pointed the addon domain, directly to the public_html. That resolves a lot a safety issues....

Status: offline

::Ben

Forum User
Full Member
Registered: 14/01/05
Posts: 1569
Location:la rochelle, France
I pointed the addon domain, directly to the public_html. That resolves a lot a safety issues....

but sensitive files are still accessible from the web...

Your web root is where your stored your index.htm page (with the cat picture).
What is his directory name?

Ben


I'm available to customise your themes or plugins for your Geeklog CMS

Status: offline

Zippo

Forum User
Chatty
Registered: 08/07/11
Posts: 53
Nice try! Razz But no! Smile

http://www.ninanauk.net = The standard website of our cattery! (Let us say that it is my sponsor Wink ) Is the one you were.

http://kom.ninanauk.net/public_html = where the GeekLog index.php is located BUT

http://kom.ninanauk.net is now rerouted to -> http://kom.ninanauk.net/public_html

All times are EDT. The time is now 12:29 am.

  • Normal Topic
  • Sticky Topic
  • Locked Topic
  • New Post
  • Sticky Topic W/ New Post
  • Locked Topic W/ New Post
  •  View Anonymous Posts
  •  Able to post
  •  Filtered HTML Allowed
  •  Censored Content