Forums / General / Security issue

Security issue

Previous topic

General

Next topic

Author	Message
Mark Overduin	Wednesday 15 October 2003 6:37:16 am This is a known security 'issue': http://www.ez.no/developer/ez_publish_3/forum/developer/security/ When one is trying to contact 'http://www.yourdomain.com/settings/site.ini', one can see loginnames and passwords and other vulnerable content (if present). This problem was known in version 3.0. Now, in version 3.2, that same problem is still here. Why not put a .htaccess file (deny all) in the '/settings/' folder which solves the problem? Or at least let the admin know his/her files are not secure enough. Perhaps there's a very logical reason for this, I don't know. Anyways, I just want to let the ezPublish users know that it is possible their files are not secure enough. -- Mark
Hans Melis	Wednesday 15 October 2003 8:31:52 am >Why not put a .htaccess file (deny all) in the '/settings/' folder which solves the problem? Or at least let the admin know his/her files are not secure enough. You have to rename the .htaccess_root to .htaccess in the root of your ezp installation if you're running a non-virtualhost setup. That file was added right after those security advisory if I remember correctly. Secondly, the setup wizard of ezp 3.2 should check the site's security and notify the person who's installing it when it's not secure. More about the setup wizard: http://ez.no/developer/ez_publish_3/documentation/installation/the_setup_wizard And a third thing is that you can rename all .ini files to .ini.php. -- Hans Hans http://blog.hansmelis.be
Kai Duebbert	Wednesday 15 October 2003 6:55:58 pm If you had read the full thread then you would have seen that this is not a security error at all. First, no custom ini settings are written to the files you mention. They are only the defaults which anyone can see anyway if they download their own copy of eZ publish. Second, if you can still access these files then you did something wrong in the install. The install wizard tell you very clearly to copy .htaccess_root to .htaccess to secure your site. It was badly researched in the first place and is still not a "security hole" (wrong installs are always a security hole).

Author

Message

Mark Overduin

Wednesday 15 October 2003 6:37:16 am

This is a known security 'issue':
http://www.ez.no/developer/ez_publish_3/forum/developer/security/

When one is trying to contact 'http://www.yourdomain.com/settings/site.ini', one can see loginnames and passwords and other vulnerable content (if present).

This problem was known in version 3.0. Now, in version 3.2, that same problem is still here.

Why not put a .htaccess file (deny all) in the '/settings/' folder which solves the problem? Or at least let the admin know his/her files are not secure enough.

Perhaps there's a very logical reason for this, I don't know.

Anyways, I just want to let the ezPublish users know that it is possible their files are not secure enough.

-- Mark

Hans Melis

Wednesday 15 October 2003 8:31:52 am

>Why not put a .htaccess file (deny all) in the '/settings/' folder which solves the problem? Or at least let the admin know his/her files are not secure enough.

You have to rename the .htaccess_root to .htaccess in the root of your ezp installation if you're running a non-virtualhost setup. That file was added right after those security advisory if I remember correctly.

Secondly, the setup wizard of ezp 3.2 should check the site's security and notify the person who's installing it when it's not secure. More about the setup wizard: http://ez.no/developer/ez_publish_3/documentation/installation/the_setup_wizard

And a third thing is that you can rename all .ini files to .ini.php.

--
Hans

Hans
http://blog.hansmelis.be

Kai Duebbert

Wednesday 15 October 2003 6:55:58 pm

If you had read the full thread then you would have seen that this is not a security error at all.

First, no custom ini settings are written to the files you mention. They are only the defaults which anyone can see anyway if they download their own copy of eZ publish.

Second, if you can still access these files then you did something wrong in the install. The install wizard tell you very clearly to copy .htaccess_root to .htaccess to secure your site.

It was badly researched in the first place and is still not a "security hole" (wrong installs are always a security hole).