User edit bug

Next topic

Author	Message
Zinistry Vacana	Monday 19 May 2003 8:03:52 am I've seen that there are some problems with security with http://www../user/edit/** and have also red that if you install the demodata and use it for a site..the demo-setup is not secure. I'm using this for a site..just deleted the demodata in the admin-interface, and changed pagelayout.tpl, so how can I secure my site? Have installed the User edit bug fix patch. Are there any more things I have to do to get a secure eZ publish site?
Jo Henrik Endrerud	Tuesday 20 May 2003 10:14:04 am A virtual host setup is usually more secure than a non virtual host setup. This is because you can use Apache's rewrite rules. If you are running a non virtual host setup, you should make sure that all your site.ini.append (and other .append files) are renamed to site.ini.append.php and place everything in these files inside PHP comments. ex: <?php /* [my block] myvariable=3 */ ?> This will help if people get a way to access these files directly (then they will be parsed in the PHP module and all comments are stripped, so the file will be empty for the user). You should also use the wash() function wherever appropriate. Check the template section on http://ez.no/sdk for more information about this Jo Henrik Endrerud \| System Developer @ Seeds Consulting \| http://www.seeds.no

Author

Message

Monday 19 May 2003 8:03:52 am

I've seen that there are some problems with security with http://www.**.**/user/edit/** and have also red that if you install the demodata and use it for a site..the demo-setup is not secure.

I'm using this for a site..just deleted the demodata in the admin-interface, and changed pagelayout.tpl, so how can I secure my site?
Have installed the User edit bug fix patch.

Are there any more things I have to do to get a secure eZ publish site?

Jo Henrik Endrerud

Tuesday 20 May 2003 10:14:04 am

A virtual host setup is usually more secure than a non virtual host setup. This is because you can use Apache's rewrite rules.
If you are running a non virtual host setup, you should make sure that all your site.ini.append (and other .append files) are renamed to site.ini.append.php and place everything in these files inside PHP comments.

ex:

<?php
/*
[my block]
myvariable=3
*/
?>

This will help if people get a way to access these files directly (then they will be parsed in the PHP module and all comments are stripped, so the file will be empty for the user).

You should also use the wash() function wherever appropriate. Check the template section on http://ez.no/sdk for more information about this

Jo Henrik Endrerud | System Developer @ Seeds Consulting | http://www.seeds.no