User edit bug

Next topic

Author	Message
Zinistry Vacana	Monday 19 May 2003 8:03:52 am I've seen that there are some problems with security with http://www../user/edit/** and have also red that if you install the demodata and use it for a site..the demo-setup is not secure. I'm using this for a site..just deleted the demodata in the admin-interface, and changed pagelayout.tpl, so how can I secure my site? Have installed the User edit bug fix patch. Are there any more things I have to do to get a secure eZ publish site?
Jo Henrik Endrerud	Tuesday 20 May 2003 10:14:04 am A virtual host setup is usually more secure than a non virtual host setup. This is because you can use Apache's rewrite rules. If you are running a non virtual host setup, you should make sure that all your site.ini.append (and other .append files) are renamed to site.ini.append.php and place everything in these files inside PHP comments. ex: <?php /* [my block] myvariable=3 */ ?> This will help if people get a way to access these files directly (then they will be parsed in the PHP module and all comments are stripped, so the file will be empty for the user). You should also use the wash() function wherever appropriate. Check the template section on http://ez.no/sdk for more information about this Jo Henrik Endrerud \| System Developer @ Seeds Consulting \| http://www.seeds.no

Author

Message

Monday 19 May 2003 8:03:52 am

I've seen that there are some problems with security with http://www.**.**/user/edit/** and have also red that if you install the demodata and use it for a site..the demo-setup is not secure.

I'm using this for a site..just deleted the demodata in the admin-interface, and changed pagelayout.tpl, so how can I secure my site?
Have installed the User edit bug fix patch.

Are there any more things I have to do to get a secure eZ publish site?

Jo Henrik Endrerud

Tuesday 20 May 2003 10:14:04 am

A virtual host setup is usually more secure than a non virtual host setup. This is because you can use Apache's rewrite rules.
If you are running a non virtual host setup, you should make sure that all your site.ini.append (and other .append files) are renamed to site.ini.append.php and place everything in these files inside PHP comments.

ex:

<?php
/*
[my block]
myvariable=3
*/
?>

This will help if people get a way to access these files directly (then they will be parsed in the PHP module and all comments are stripped, so the file will be empty for the user).

You should also use the wash() function wherever appropriate. Check the template section on http://ez.no/sdk for more information about this

Jo Henrik Endrerud | System Developer @ Seeds Consulting | http://www.seeds.no

eZ debug

Timing:	Jan 18 2025 11:11:18
Script start
Timing:	Jan 18 2025 11:11:18
Module start 'layout'
Timing:	Jan 18 2025 11:11:18
Module start 'content'
Timing:	Jan 18 2025 11:11:19
Module end 'content'
Timing:	Jan 18 2025 11:11:19
Script end

Main resources:

Total runtime	1.0596 sec
Peak memory usage	4,096.0000 KB
Database Queries	54

Timing points:

Checkpoint	Start (sec)	Duration (sec)	Memory at start (KB)	Memory used (KB)
Script start	0.0000	0.0058	588.9219	152.6094
Module start 'layout'	0.0058	0.0026	741.5313	39.4141
Module start 'content'	0.0084	1.0498	780.9453	488.5469
Module end 'content'	1.0582	0.0014	1,269.4922	8.1953
Script end	1.0596		1,277.6875

Time accumulators:

Accumulator	Duration (sec)	Duration (%)	Count	Average (sec)
Ini load
Load cache	0.0030	0.2860	16	0.0002
Check MTime	0.0013	0.1190	16	0.0001
Mysql Total
Database connection	0.0008	0.0798	1	0.0008
Mysqli_queries	1.0206	96.3181	54	0.0189
Looping result	0.0005	0.0475	52	0.0000
Template Total	1.0346	97.6	2	0.5173
Template load	0.0020	0.1889	2	0.0010
Template processing	1.0326	97.4498	2	0.5163
Template load and register function	0.0001	0.0116	1	0.0001
states
state_id_array	0.0012	0.1108	1	0.0012
state_identifier_array	0.0007	0.0706	2	0.0004
Override
Cache load	0.0016	0.1528	19	0.0001
Sytem overhead
Fetch class attribute can translate value	0.0006	0.0588	2	0.0003
Fetch class attribute name	0.0009	0.0834	2	0.0004
XML
Image XML parsing	0.0002	0.0218	2	0.0001
class_abstraction
Instantiating content class attribute	0.0000	0.0004	2	0.0000
General
dbfile	0.0006	0.0607	10	0.0001
String conversion	0.0000	0.0006	4	0.0000
Note: percentages do not add up to 100% because some accumulators overlap

Templates used to render the page:

Usage	Requested template	Template	Template loaded
1	node/view/full.tpl	full/forum_topic.tpl	extension/sevenx/design/simple/override/templates/full/forum_topic.tpl
2	content/datatype/view/ezxmltext.tpl	<No override>	extension/community_design/design/suncana/templates/content/datatype/view/ezxmltext.tpl
4	content/datatype/view/ezxmltags/paragraph.tpl	<No override>	extension/ezwebin/design/ezwebin/templates/content/datatype/view/ezxmltags/paragraph.tpl
3	content/datatype/view/ezxmltags/line.tpl	<No override>	design/standard/templates/content/datatype/view/ezxmltags/line.tpl
1	print_pagelayout.tpl	<No override>	extension/community/design/community/templates/print_pagelayout.tpl
Number of times templates used: 11 Number of unique templates used: 5

Time used to render debug report: 0.0001 secs