Forums / General / Security issue

Security issue

Previous topic

General

Next topic

Author	Message
Mark Overduin	Wednesday 15 October 2003 6:37:16 am This is a known security 'issue': http://www.ez.no/developer/ez_publish_3/forum/developer/security/ When one is trying to contact 'http://www.yourdomain.com/settings/site.ini', one can see loginnames and passwords and other vulnerable content (if present). This problem was known in version 3.0. Now, in version 3.2, that same problem is still here. Why not put a .htaccess file (deny all) in the '/settings/' folder which solves the problem? Or at least let the admin know his/her files are not secure enough. Perhaps there's a very logical reason for this, I don't know. Anyways, I just want to let the ezPublish users know that it is possible their files are not secure enough. -- Mark
Hans Melis	Wednesday 15 October 2003 8:31:52 am >Why not put a .htaccess file (deny all) in the '/settings/' folder which solves the problem? Or at least let the admin know his/her files are not secure enough. You have to rename the .htaccess_root to .htaccess in the root of your ezp installation if you're running a non-virtualhost setup. That file was added right after those security advisory if I remember correctly. Secondly, the setup wizard of ezp 3.2 should check the site's security and notify the person who's installing it when it's not secure. More about the setup wizard: http://ez.no/developer/ez_publish_3/documentation/installation/the_setup_wizard And a third thing is that you can rename all .ini files to .ini.php. -- Hans Hans http://blog.hansmelis.be
Kai Duebbert	Wednesday 15 October 2003 6:55:58 pm If you had read the full thread then you would have seen that this is not a security error at all. First, no custom ini settings are written to the files you mention. They are only the defaults which anyone can see anyway if they download their own copy of eZ publish. Second, if you can still access these files then you did something wrong in the install. The install wizard tell you very clearly to copy .htaccess_root to .htaccess to secure your site. It was badly researched in the first place and is still not a "security hole" (wrong installs are always a security hole).

Author

Message

Mark Overduin

Wednesday 15 October 2003 6:37:16 am

This is a known security 'issue':
http://www.ez.no/developer/ez_publish_3/forum/developer/security/

When one is trying to contact 'http://www.yourdomain.com/settings/site.ini', one can see loginnames and passwords and other vulnerable content (if present).

This problem was known in version 3.0. Now, in version 3.2, that same problem is still here.

Why not put a .htaccess file (deny all) in the '/settings/' folder which solves the problem? Or at least let the admin know his/her files are not secure enough.

Perhaps there's a very logical reason for this, I don't know.

Anyways, I just want to let the ezPublish users know that it is possible their files are not secure enough.

-- Mark

Hans Melis

Wednesday 15 October 2003 8:31:52 am

>Why not put a .htaccess file (deny all) in the '/settings/' folder which solves the problem? Or at least let the admin know his/her files are not secure enough.

You have to rename the .htaccess_root to .htaccess in the root of your ezp installation if you're running a non-virtualhost setup. That file was added right after those security advisory if I remember correctly.

Secondly, the setup wizard of ezp 3.2 should check the site's security and notify the person who's installing it when it's not secure. More about the setup wizard: http://ez.no/developer/ez_publish_3/documentation/installation/the_setup_wizard

And a third thing is that you can rename all .ini files to .ini.php.

--
Hans

Hans
http://blog.hansmelis.be

Kai Duebbert

Wednesday 15 October 2003 6:55:58 pm

If you had read the full thread then you would have seen that this is not a security error at all.

First, no custom ini settings are written to the files you mention. They are only the defaults which anyone can see anyway if they download their own copy of eZ publish.

Second, if you can still access these files then you did something wrong in the install. The install wizard tell you very clearly to copy .htaccess_root to .htaccess to secure your site.

It was badly researched in the first place and is still not a "security hole" (wrong installs are always a security hole).

eZ debug

Timing:

Jan 30 2025 21:45:57

Script start

Timing:

Jan 30 2025 21:45:57

Module start 'content'

Timing:

Jan 30 2025 21:45:57

Module end 'content'

Timing:

Jan 30 2025 21:45:58

Script end

Main resources:

Total runtime

0.2811 sec

Peak memory usage

8,192.0000 KB

Database Queries

141

Timing points:

Checkpoint	Start (sec)	Duration (sec)	Memory at start (KB)	Memory used (KB)
Script start	0.0000	0.0095	587.7500	370.3203
Module start 'content'	0.0095	0.0252	958.0703	1,001.4297
Module end 'content'	0.0346	0.2463	1,959.5000	3,890.1250
Script end	0.2810		5,849.6250

Checkpoint

Start (sec)

Duration (sec)

Memory at start (KB)

Memory used (KB)

Script start

0.0000

0.0095

587.7500

370.3203

Module start 'content'

0.0095

0.0252

958.0703

1,001.4297

Module end 'content'

0.0346

0.2463

1,959.5000

3,890.1250

Script end

0.2810

5,849.6250

Time accumulators:

Accumulator	Duration (sec)	Duration (%)	Count	Average (sec)
Ini load
Load cache	0.0045	1.5935	20	0.0002
Check MTime	0.0013	0.4637	20	0.0001
Mysql Total
Database connection	0.0008	0.2786	1	0.0008
Mysqli_queries	0.1774	63.1263	141	0.0013
Looping result	0.0015	0.5219	139	0.0000
Template Total	0.2458	87.5	1	0.2458
Template load	0.0008	0.2860	1	0.0008
Template processing	0.2450	87.1724	1	0.2450
Override
Cache load	0.0005	0.1946	1	0.0005
Sytem overhead
Fetch class attribute can translate value	0.0017	0.6138	1	0.0017
XML
Image XML parsing	0.0002	0.0847	1	0.0002
General
dbfile	0.0057	2.0384	20	0.0003
String conversion	0.0000	0.0025	3	0.0000
Note: percentages do not add up to 100% because some accumulators overlap

Accumulator

Duration (sec)

Duration (%)

Count

Average (sec)

Ini load

Load cache

0.0045

1.5935

0.0002

Check MTime

0.0013

0.4637

0.0001

Mysql Total

Database connection

0.0008

0.2786

0.0008

Mysqli_queries

0.1774

63.1263

141

0.0013

Looping result

0.0015

0.5219

139

0.0000

Template Total

0.2458

87.5

0.2458

Template load

0.0008

0.2860

0.0008

Template processing

0.2450

87.1724

0.2450

Override

Cache load

0.0005

0.1946

0.0005

Sytem overhead

Fetch class attribute can translate value

0.0017

0.6138

0.0017

XML

Image XML parsing

0.0002

0.0847

0.0002

General

dbfile

0.0057

2.0384

0.0003

String conversion

0.0000

0.0025

0.0000

Note: percentages do not add up to 100% because some accumulators overlap

CSS/JS files loaded with "ezjscPacker" during request:

Cache	Type	Packlevel	SourceFiles
	CSS	0	extension/community/design/community/stylesheets/ext/jquery.autocomplete.css extension/community_design/design/suncana/stylesheets/scrollbars.css extension/community_design/design/suncana/stylesheets/tabs.css extension/community_design/design/suncana/stylesheets/roadmap.css extension/community_design/design/suncana/stylesheets/content.css extension/community_design/design/suncana/stylesheets/star-rating.css extension/community_design/design/suncana/stylesheets/syntax_and_custom_tags.css extension/community_design/design/suncana/stylesheets/buttons.css extension/community_design/design/suncana/stylesheets/tweetbox.css extension/community_design/design/suncana/stylesheets/jquery.fancybox-1.3.4.css extension/bcsmoothgallery/design/standard/stylesheets/magnific-popup.css extension/sevenx/design/simple/stylesheets/star_rating.css extension/sevenx/design/simple/stylesheets/libs/fontawesome/css/all.min.css extension/sevenx/design/simple/stylesheets/main.v02.css extension/sevenx/design/simple/stylesheets/main.v02.res.css
	JS	0	extension/ezjscore/design/standard/lib/yui/3.17.2/build/yui/yui-min.js extension/ezjscore/design/standard/javascript/jquery-3.7.0.min.js extension/community_design/design/suncana/javascript/jquery.ui.core.min.js extension/community_design/design/suncana/javascript/jquery.ui.widget.min.js extension/community_design/design/suncana/javascript/jquery.easing.1.3.js extension/community_design/design/suncana/javascript/jquery.ui.tabs.js extension/community_design/design/suncana/javascript/jquery.hoverIntent.min.js extension/community_design/design/suncana/javascript/jquery.popmenu.js extension/community_design/design/suncana/javascript/jScrollPane.js extension/community_design/design/suncana/javascript/jquery.mousewheel.js extension/community_design/design/suncana/javascript/jquery.cycle.all.js extension/sevenx/design/simple/javascript/jquery.scrollTo.js extension/community_design/design/suncana/javascript/jquery.cookie.js extension/community_design/design/suncana/javascript/ezstarrating_jquery.js extension/community_design/design/suncana/javascript/jquery.initboxes.js extension/community_design/design/suncana/javascript/app.js extension/community_design/design/suncana/javascript/twitterwidget.js extension/community_design/design/suncana/javascript/community.js extension/community_design/design/suncana/javascript/roadmap.js extension/community_design/design/suncana/javascript/ez.js extension/community_design/design/suncana/javascript/ezshareevents.js extension/sevenx/design/simple/javascript/main.js

Cache

Type

Packlevel

SourceFiles

CSS

extension/community/design/community/stylesheets/ext/jquery.autocomplete.css
extension/community_design/design/suncana/stylesheets/scrollbars.css
extension/community_design/design/suncana/stylesheets/tabs.css
extension/community_design/design/suncana/stylesheets/roadmap.css
extension/community_design/design/suncana/stylesheets/content.css
extension/community_design/design/suncana/stylesheets/star-rating.css
extension/community_design/design/suncana/stylesheets/syntax_and_custom_tags.css
extension/community_design/design/suncana/stylesheets/buttons.css
extension/community_design/design/suncana/stylesheets/tweetbox.css
extension/community_design/design/suncana/stylesheets/jquery.fancybox-1.3.4.css
extension/bcsmoothgallery/design/standard/stylesheets/magnific-popup.css
extension/sevenx/design/simple/stylesheets/star_rating.css
extension/sevenx/design/simple/stylesheets/libs/fontawesome/css/all.min.css
extension/sevenx/design/simple/stylesheets/main.v02.css
extension/sevenx/design/simple/stylesheets/main.v02.res.css

extension/ezjscore/design/standard/lib/yui/3.17.2/build/yui/yui-min.js
extension/ezjscore/design/standard/javascript/jquery-3.7.0.min.js
extension/community_design/design/suncana/javascript/jquery.ui.core.min.js
extension/community_design/design/suncana/javascript/jquery.ui.widget.min.js
extension/community_design/design/suncana/javascript/jquery.easing.1.3.js
extension/community_design/design/suncana/javascript/jquery.ui.tabs.js
extension/community_design/design/suncana/javascript/jquery.hoverIntent.min.js
extension/community_design/design/suncana/javascript/jquery.popmenu.js
extension/community_design/design/suncana/javascript/jScrollPane.js
extension/community_design/design/suncana/javascript/jquery.mousewheel.js
extension/community_design/design/suncana/javascript/jquery.cycle.all.js
extension/sevenx/design/simple/javascript/jquery.scrollTo.js
extension/community_design/design/suncana/javascript/jquery.cookie.js
extension/community_design/design/suncana/javascript/ezstarrating_jquery.js
extension/community_design/design/suncana/javascript/jquery.initboxes.js
extension/community_design/design/suncana/javascript/app.js
extension/community_design/design/suncana/javascript/twitterwidget.js
extension/community_design/design/suncana/javascript/community.js
extension/community_design/design/suncana/javascript/roadmap.js
extension/community_design/design/suncana/javascript/ez.js
extension/community_design/design/suncana/javascript/ezshareevents.js
extension/sevenx/design/simple/javascript/main.js

Templates used to render the page:

Usage	Requested template	Template	Template loaded	Edit	Override
1	pagelayout.tpl	<No override>	extension/sevenx/design/simple/templates/pagelayout.tpl
Number of times templates used: 1 Number of unique templates used: 1

Usage

Requested template

Template

Template loaded

Edit

Override

pagelayout.tpl

<No override>

extension/sevenx/design/simple/templates/pagelayout.tpl

Number of times templates used: 1
Number of unique templates used: 1

Time used to render debug report: 0.0001 secs