EasyMOD / Bugs / #36 Severe security issues

#36 Severe security issues

Milestone: v1.0.0_CVS

Status: open-accepted

Owner: nobody

Labels: Other (4)

Priority: 5

Updated: 2006-01-12

Created: 2006-01-12

Creator: Pierre ROGE

Private: No

mods/ directory is not enough protected :

- this can allow a user to gain access to the database
using scripts enclosed in the mods, not enough
securised but supposed to be removed after the install.

- same thing with the backups : if a mod modify the
config.php, a regular user will get easely the
connection user and pass hitting the backup/config.php.txt

Discussion

Eric Faerber - 2006-01-12

status: open --> open-accepted
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Eric Faerber - 2006-01-12

Logged In: YES
user_id=657440

This is something we were going to look into further.
Probably add .htaccess, change file permissions to only
owner readable or something like that, and probably halt
processing of MODs that edit config.php. We'll think about
it some more. Any ideas you have would be great as well.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Pierre ROGE - 2006-01-13

Logged In: YES
user_id=902793

Maybe plan also the ability to download saves, and to drop
all from the remote server.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

David Smith - 2006-02-23

Logged In: YES
user_id=420754

How about the ability to specify a path that is outside
public_html, I believe gallery allows you to do the same
thing with photos that shouldn't be publically viewable?

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Severe security issues

Group

Searches

Help

#36 Severe security issues

Discussion