eZ Community » Forums » General » Security issue
expandshrink

Security issue

Security issue

Wednesday 15 October 2003 3:37:16 pm - 2 replies

This is a known security 'issue':
http://www.ez.no/developer/ez_publish_3/forum/developer/security/

When one is trying to contact 'http://www.yourdomain.com/settings/site.ini', one can see loginnames and passwords and other vulnerable content (if present).

This problem was known in version 3.0. Now, in version 3.2, that same problem is still here.

Why not put a .htaccess file (deny all) in the '/settings/' folder which solves the problem? Or at least let the admin know his/her files are not secure enough.

Perhaps there's a very logical reason for this, I don't know.

Anyways, I just want to let the ezPublish users know that it is possible their files are not secure enough.

-- Mark

Wednesday 15 October 2003 5:31:52 pm

>Why not put a .htaccess file (deny all) in the '/settings/' folder which solves the problem? Or at least let the admin know his/her files are not secure enough.

You have to rename the .htaccess_root to .htaccess in the root of your ezp installation if you're running a non-virtualhost setup. That file was added right after those security advisory if I remember correctly.

Secondly, the setup wizard of ezp 3.2 should check the site's security and notify the person who's installing it when it's not secure. More about the setup wizard: http://ez.no/developer/ez_publish...tation/installation/the_setup_wizard

And a third thing is that you can rename all .ini files to .ini.php.

--
Hans

Modified on Wednesday 15 October 2003 5:32:27 pm by Hans Melis

Thursday 16 October 2003 3:55:58 am

If you had read the full thread then you would have seen that this is not a security error at all.

First, no custom ini settings are written to the files you mention. They are only the defaults which anyone can see anyway if they download their own copy of eZ publish.

Second, if you can still access these files then you did something wrong in the install. The install wizard tell you very clearly to copy .htaccess_root to .htaccess to secure your site.

It was badly researched in the first place and is still not a "security hole" (wrong installs are always a security hole).

expandshrink

You must be logged in to post messages in this topic!

36 542 Users on board!

Forums menu

Proudly Developed with from