 |
|
Re:Security Release - CB 1.0.1 - RELEASED!
|
|
Date: 2006/08/13 13:01
|
By: Phleum
|
Status: User
|
|
|
Karma: 0
|
|
Junior Joomlapolitan
| Posts: 35 |   |
|
|
My host is taking care of the first two conditions for me (or rather proving me instructoins how). They are looking for a clirification on
3) no open base directory limitations set
4) php code directories have write permissions from web-server process
Their questions: "We are not sure what is meant by these statements. What type of limitations they refer to? What do they mean by write permissions from web-server process?"
And a statement: "About the write permissions - perhaps they refer to world-writable permissions, which would allow other users on the server to write in the directories. You should note that our servers run SuExec and such permissions are not necessary on our servers and would actually not work, so if this is what they refer to, you should not worry about it."
Since this means nothing to me, I'm hoping someone here can help. My site did get hacked; now I'm just mopping up.
|
|
The administrator has disabled public write access. |
|
 |
|
Re:Security Release - CB 1.0.1 - RELEASED!
|
|
Date: 2006/08/13 14:18
|
By: nant
|
Status: Admin
|
|
|
Karma: 452
|
|
Admin
| Posts: 5722 | |
|
|
crash777 wrote:
Question.. somewhat related.. maybe...
I am getting a message in my community builder:
"Your version is : 1.0
Latest version :
1.0.1 WARNING: high-risk security vulnerability has been discovered: Please Update ASAP ! More info and security release 1.0.1 available on Joomlapolis and on forge !!!"
I started fresh.. uninstalled all components, modules, etc and removed mysql tables. Then reinstalled.. Should I worry I don't have the newest version? Did I miss something? What is a foolproof way to tell? What checks is CB doing to give me this message?
Crash if you isntalled fresh the your version method should $have shown 1.0.1.
This means that something went wrong.
You can manually use ftp to upload the files over-writting the old ones.
Nick A.
CB Core Team Member
Support CB Development and Get Detailed Documentation
Developer of Nant's Gallery plugin
CB Gallery Extensions Listing, Rate CB Gallery on Extensions Site
Developer of CB AutoWelcome Plugin
CB AutoWelcome Extensions Listing,Rate CB AutoWelcome on Extensions Site
People ignoring your call for help? Read this!
FAQ you
Joomlapolis Extensions Directory (new)- check it out!
|
|
|
The administrator has disabled public write access. |
|
 |
|
Re:Security Release - CB 1.0.1 - RELEASED!
|
|
Date: 2006/08/13 14:45
|
By: spikec
|
Status: 
|
|
|
Karma: 13
|
|
Senior Joomlapolitan
| Posts: 81 | |
|
|
|
Nice job fellas with the security update. A cinch to do in "expert" mode. You guys kick ass!
|
|
|
The administrator has disabled public write access. |
|
 |
|
Re:Security Release - CB 1.0.1 - RELEASED!
|
|
Date: 2006/08/13 22:47
|
By: dpk
|
Status:
|
|
|
Karma: 2
|
|
Senior Joomlapolitan
| Posts: 84 | |
|
|
Phleum:
I would also like to know what "no open base directory limitations" is about.
But #4 is about the webserver's permission to write to your PHP directory.
|
|
|
The administrator has disabled public write access. |
|
 |
|
Re:Security Release - CB 1.0.1 - RELEASED!
|
|
Date: 2006/08/14 16:38
|
By: beat
|
Status: Admin
|
|
|
Karma: 239
|
|
Admin
| Posts: 3822 | |
|
|
dpk wrote:
Phleum:
I would also like to know what "no open base directory limitations" is about.
...
This feature is independant of safemode, and can be configured on a per site basis in httpd.conf and files incldued by http.conf, as well as in php.ini .
Some versions of Plesk do it by default, and it allows to restrict from which directories files can be included by PHP (it basically avoids cross-site code-files includes).
For full explanation: Search for 2nd occurence of "open_basedir" in:
http://ch2.php.net/manual/en/features.safe-mode.php
Beat  - Developer on Community Builder core Team
- If you like CB and this forum, you will love Nick's CB 1.1 reference manual !  : Click here to Get it now
- Would like to help us move faster ? Get it, and/or help us spend more time coding by helping others in this forum, many thanks
|
|
|
The administrator has disabled public write access. |
|
|
|
|
Re:Security Release - CB 1.0.1 - RELEASED!
|
|
Date: 2006/08/14 16:49
|
By: beat
|
Status: Admin
|
|
|
Karma: 239
|
|
Admin
| Posts: 3822 | |
|
|
Phleum wrote:
My host is taking care of the first two conditions for me (or rather proving me instructoins how). They are looking for a clirification on
3) no open base directory limitations set
4) php code directories have write permissions from web-server process
Their questions: "We are not sure what is meant by these statements. What type of limitations they refer to? What do they mean by write permissions from web-server process?"
And a statement: "About the write permissions - perhaps they refer to world-writable permissions, which would allow other users on the server to write in the directories. You should note that our servers run SuExec and such permissions are not necessary on our servers and would actually not work, so if this is what they refer to, you should not worry about it."
Since this means nothing to me, I'm hoping someone here can help. My site did get hacked; now I'm just mopping up.
ok.:
1) is the most important one, good
3) I replied just above
4) :
a) We are meaning the "others" (world-write, write by anyone), if your web-server is running as part of the "others" in the files permissions.
b) if your web-server is running as part of the "group(s)" assigned to the files, we are meaning the "group" file permissions (and obviously others should be non-writable/non-readable)
c) if you are using SuExec to assign to the web-server the same userId as your FTP/console user id, then you are in some ways better protected and in some ways less protected. Meaning: the web-server is also "owner" of all the files, and gets "user" file permissions.
d) very best would be the webserver to do SuExec to a different userId than yours, which is part of the "group" of your files only. There you can set the right file "write" permissions: meaning read-only for directories and files containing code (except during extensions installs) and rw for temp directories like cache and media, and user-upload dirs like images/comprofiler
Beat - Developer on Community Builder core Team
- If you like CB and this forum, you will love Nick's CB 1.1 reference manual ! : Click here to Get it now
- Would like to help us move faster ? Get it, and/or help us spend more time coding by helping others in this forum, many thanks
|
|
|
The administrator has disabled public write access. |
|
|
