Thread: [pLog-General] [ plog-Bugs-986157 ] Gallery file can be accessed without using resserver.php
Brought to you by:
jondaley
From: SourceForge.net <no...@so...> - 2004-07-06 18:55:27
|
Bugs item #986157, was opened at 2004-07-07 02:55 Message generated for change (Tracker Item Submitted) made by Item Submitter You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=571270&aid=986157&group_id=83964 Category: None Group: None Status: Open Resolution: None Priority: 5 Submitted By: Alan Chiang (school) Assigned to: Nobody/Anonymous (nobody) Summary: Gallery file can be accessed without using resserver.php Initial Comment: Example: http://www.plogworld.org/resserver.php?blogId=1&resource=plog-0.3.2-beta5.tar.gz This file can be downloaded with: http://www.plogworld.org/gallery/1/1-29.gz Since there is no default protection for those folders (like using index.htm as mask or using .htacess). ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=571270&aid=986157&group_id=83964 |
From: Nick G. <ni...@so...> - 2004-07-07 00:06:08
|
Two (2) solutions at hand. I currently use #2, its just easier. [1] Config an .httaccess file in the gallery dir [2] Move the gallery folder to a non-public directory. ex: ~/private/gallery as apposed to ~/www_public/gallery. Of course while we are on the idea of security users should also remember to configure mysql to not allow blank users or blank root passwords. Survey reported that up to 30% of public boxes with mysqld running havn't gone past installation to change the default blank root password, or allow blank usernames and passwords for login access. *shrugs* ~ Nick |
From: Oscar R. <os...@re...> - 2004-07-07 15:38:51
|
I don't think it takes a rocket scientist to discover this "vulnerability"... It's pretty obvious that if a folder is placed under the web server tree, it will be possible to see its contents unless we configure the server not to allow it. That's why there is an setting called 'resources_folder' that allows to specify where to store files. As long as this is set to a folder outside the web server tree, everything should be fine (Nick's solution number [2]) As for solution [1], the problem is that not all hosts allow .htaccess but we could still modify plog to automatically create an .htaccess file in the main folder forbidding access to the files. All in all, I think that it would also be interesting to create a new topic in the wiki called something like "securing plog" where we could describe all these approaches. Any volunteers? :) Oscar On 7 Jul 2004, at 03:05, Nick Gerakines wrote: > Two (2) solutions at hand. I currently use #2, its just easier. > [1] Config an .httaccess file in the gallery dir > [2] Move the gallery folder to a non-public directory. ex: > ~/private/gallery as apposed to ~/www_public/gallery. > > Of course while we are on the idea of security users should also > remember to configure mysql to not allow blank users or blank root > passwords. Survey reported that up to 30% of public boxes with mysqld > running havn't gone past installation to change the default blank root > password, or allow blank usernames and passwords for login access. > *shrugs* > ~ Nick > > > ------------------------------------------------------- > This SF.Net email sponsored by Black Hat Briefings & Training. > Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital > self defense, top technical experts, no vendor pitches, unmatched > networking opportunities. Visit www.blackhat.com > _______________________________________________ > pLog-General mailing list > pLo...@li... > https://lists.sourceforge.net/lists/listinfo/plog-general > |