Menu

#57 A Few Ideas for Enhancing Security

0.9
open
nobody
New Functionality (31)
5
2004-08-25
2004-08-25
Michael Stilson Jr
No

Hey peoples,

Excellent project by the way. Congrats.

A few ideas for improving the security of the app:

// Securing Files in the Web Tree
1) Change the extensions of sensitive files, i.e. files
in the "system" folder to ".phps" or ".inc" in order to
set them apart from the other PHP files.

2) Provide documentation that points users in the
direction of verifying their configging of Apache to
disallow the download of files with the .phps or .inc
extensions or allow users to use .htaccess files.
Example of implementing this in httpd.conf:
<Files ~ "\.(inc|phps)">
Order allow,deny
Deny from all
</Files>
You could throw the above in after statement that
denies users access to .htaccess and .htsecure files.

3) Provide docs on how to create or even a default
.htaccess file that does something like...
<FilesMatch "\.(inc|phps)$">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>

// Securing the Database
1) Provide a method during the installation process,
i.e. command example, script, etc. that will alter the
user set up to access the database so that they can no
longer create databases. After the initial "helpdesk"
database is created by the user specified by the
installer, there isn't really a need for that database
user to have the rights to create more databases, that
I can see.

2) Maybe even create a "helpdesk" group and add the
"postgres" and the "[user]" to it. This could help ease
"pg_hba.conf" settings for maintenance processes that
may run via the "postgres" user.

My reasons for these suggestions...

o It would be nice to secure the password to the
database that is included in the "system/opendb.php" file.
o In order to take advantage of the beta LDAP
functionality, we would like to use a username and
password to do the queries we need and we want those to
be secure.

We currently have the Issue Manager running in a
SSL-only folder in order to protect that side of it.

Thanks again for the most excellent project. We are
using here at Western Michigan University to track
"trouble tickets" that get logged from our helpdesk.

Cheers,

- michael
--
Michael Stilson Jr.
-------------------------------------------------------
Web Programmer/Analyst: Office of Information Technology
Western Michigan University

E: michael.stilson@wmich.edu
W: www.wmich.edu

Helpdesk implementation:
https://www.wmich.edu/helpdesk/manager/

Discussion

Log in to post a comment.

MongoDB Logo MongoDB