Security issue

Next topic

Author	Message
Mark Overduin	Wednesday 15 October 2003 6:37:16 am This is a known security 'issue': http://www.ez.no/developer/ez_publish_3/forum/developer/security/ When one is trying to contact 'http://www.yourdomain.com/settings/site.ini', one can see loginnames and passwords and other vulnerable content (if present). This problem was known in version 3.0. Now, in version 3.2, that same problem is still here. Why not put a .htaccess file (deny all) in the '/settings/' folder which solves the problem? Or at least let the admin know his/her files are not secure enough. Perhaps there's a very logical reason for this, I don't know. Anyways, I just want to let the ezPublish users know that it is possible their files are not secure enough. -- Mark
Hans Melis	Wednesday 15 October 2003 8:31:52 am >Why not put a .htaccess file (deny all) in the '/settings/' folder which solves the problem? Or at least let the admin know his/her files are not secure enough. You have to rename the .htaccess_root to .htaccess in the root of your ezp installation if you're running a non-virtualhost setup. That file was added right after those security advisory if I remember correctly. Secondly, the setup wizard of ezp 3.2 should check the site's security and notify the person who's installing it when it's not secure. More about the setup wizard: http://ez.no/developer/ez_publish_3/documentation/installation/the_setup_wizard And a third thing is that you can rename all .ini files to .ini.php. -- Hans Hans http://blog.hansmelis.be
Kai Duebbert	Wednesday 15 October 2003 6:55:58 pm If you had read the full thread then you would have seen that this is not a security error at all. First, no custom ini settings are written to the files you mention. They are only the defaults which anyone can see anyway if they download their own copy of eZ publish. Second, if you can still access these files then you did something wrong in the install. The install wizard tell you very clearly to copy .htaccess_root to .htaccess to secure your site. It was badly researched in the first place and is still not a "security hole" (wrong installs are always a security hole).

Author

Message

Wednesday 15 October 2003 6:37:16 am

This is a known security 'issue':
http://www.ez.no/developer/ez_publish_3/forum/developer/security/

When one is trying to contact 'http://www.yourdomain.com/settings/site.ini', one can see loginnames and passwords and other vulnerable content (if present).

This problem was known in version 3.0. Now, in version 3.2, that same problem is still here.

Why not put a .htaccess file (deny all) in the '/settings/' folder which solves the problem? Or at least let the admin know his/her files are not secure enough.

Perhaps there's a very logical reason for this, I don't know.

Anyways, I just want to let the ezPublish users know that it is possible their files are not secure enough.

-- Mark

Hans Melis

Wednesday 15 October 2003 8:31:52 am

>Why not put a .htaccess file (deny all) in the '/settings/' folder which solves the problem? Or at least let the admin know his/her files are not secure enough.

You have to rename the .htaccess_root to .htaccess in the root of your ezp installation if you're running a non-virtualhost setup. That file was added right after those security advisory if I remember correctly.

Secondly, the setup wizard of ezp 3.2 should check the site's security and notify the person who's installing it when it's not secure. More about the setup wizard: http://ez.no/developer/ez_publish_3/documentation/installation/the_setup_wizard

And a third thing is that you can rename all .ini files to .ini.php.

--
Hans

Hans
http://blog.hansmelis.be

Kai Duebbert

Wednesday 15 October 2003 6:55:58 pm

If you had read the full thread then you would have seen that this is not a security error at all.

First, no custom ini settings are written to the files you mention. They are only the defaults which anyone can see anyway if they download their own copy of eZ publish.

Second, if you can still access these files then you did something wrong in the install. The install wizard tell you very clearly to copy .htaccess_root to .htaccess to secure your site.

It was badly researched in the first place and is still not a "security hole" (wrong installs are always a security hole).

eZ debug

Timing:	Jan 18 2025 16:20:50
Script start
Timing:	Jan 18 2025 16:20:50
Module start 'layout'
Timing:	Jan 18 2025 16:20:50
Module start 'content'
Timing:	Jan 18 2025 16:20:50
Module end 'content'
Timing:	Jan 18 2025 16:20:50
Script end

Main resources:

Total runtime	0.0130 sec
Peak memory usage	2,048.0000 KB
Database Queries	3

Timing points:

Checkpoint	Start (sec)	Duration (sec)	Memory at start (KB)	Memory used (KB)
Script start	0.0000	0.0048	587.7813	152.6094
Module start 'layout'	0.0048	0.0024	740.3906	39.3984
Module start 'content'	0.0072	0.0039	779.7891	89.2578
Module end 'content'	0.0111	0.0019	869.0469	34.3047
Script end	0.0130		903.3516

Time accumulators:

Accumulator	Duration (sec)	Duration (%)	Count	Average (sec)
Ini load
Load cache	0.0024	18.2599	14	0.0002
Check MTime	0.0012	8.8566	14	0.0001
Mysql Total
Database connection	0.0006	4.7236	1	0.0006
Mysqli_queries	0.0019	14.8405	3	0.0006
Looping result	0.0000	0.0770	1	0.0000
Template Total	0.0015	11.7	1	0.0015
Template load	0.0008	6.3251	1	0.0008
Template processing	0.0007	5.3547	1	0.0007
Override
Cache load	0.0006	4.2944	1	0.0006
General
dbfile	0.0002	1.8766	8	0.0000
String conversion	0.0000	0.0605	4	0.0000
Note: percentages do not add up to 100% because some accumulators overlap

Templates used to render the page:

Usage	Requested template	Template	Template loaded	Edit	Override
1	print_pagelayout.tpl	<No override>	extension/community/design/community/templates/print_pagelayout.tpl
Number of times templates used: 1 Number of unique templates used: 1

Time used to render debug report: 0.0001 secs