From: Oliver Waring <oliverwaring@ta...> - 2007-12-11 19:16:05
i'm setting up a new install for a friend
i only seem to have access to the web root. what security would anyone
recommend if i need to put the pt_config.inc file in the home dir??
(ps hello dave!)
From: Dave Guerin <pagetool-user@gu...> - 2007-12-21 15:30:36
How are you, sorry for the delay in replying, been somewhat busy
On Dec 11, 2007, at 19:15, Oliver Waring wrote:
> Pagetool-user mailing list. This list is also the contact email for
> Pagetool. Email posted to the list may not, therefore, be from list
> members. Please reply both to the list and to the individual. Cheers.
> i'm setting up a new install for a friend
I had an email form Jamie, the other main contributor to Pagetool. He
and I are in agreement that we would not advise anyone to use
Pagetool for a fresh project due to know security issues with the code.
> i only seem to have access to the web root. what security would anyone
> recommend if i need to put the pt_config.inc file in the home dir??
If you really wanted to use Pagetool and can only put pt_config.inc
in a web accessible directory, then you need to make the web server
NOT serve .inc files. To do that you need, if it's Apache, an install
that allows you to make changes via a .htaccess file. I'm being a bit
vague here as I really don't think it's a good idea to use Pagetool
in it's current state, and also not a good idea to have your
configuration file accessible via the web. If the web host doesn't
allow files outside the web root then change the web host.
> advance thanks
> (ps hello dave!)
I ought to mention to others on the list that Ollie is a friend and
sometime work colleague of mine. Hence his familiarity.
What would be great would be if Ollie, or anyone else who uses
Pagetool, was to take a look at the code in CVS and go through it
with a fine tooth comb and try and see if there are any security
issues with it. I haven't looked at the code for a while, almost a
year, when there were security exploits of un-patched sites. I went
through most of the code then and made a load of changes to make it
more secure. To have someone else take a look at the changes I made
then, and to go on and finish off what I started and complete the
review of the code, would be great. There might even one day be a
1.08 release. If I recall correctly all the public code was as secure
as I could make it, it was mostly the admin side that I still had to
work thorough, and I think I'd broken the cookie login code in my
attempt to make it more secure. I think I detailed where I had got to
in the TODO.txt.
Merry Christmas and a Happy New Year to all Pagetool users!
d a v e