crash777 wrote:

Question.. somewhat related.. maybe...

I am getting a message in my community builder:
"Your version is : 1.0
Latest version :
1.0.1 WARNING: high-risk security vulnerability has been discovered: Please Update ASAP ! More info and security release 1.0.1 available on Joomlapolis and on forge !!!"

I started fresh.. uninstalled all components, modules, etc and removed mysql tables. Then reinstalled.. Should I worry I don't have the newest version? Did I miss something? What is a foolproof way to tell? What checks is CB doing to give me this message?

Crash if you isntalled fresh the your version method should $have shown 1.0.1.
This means that something went wrong.
You can manually use ftp to upload the files over-writting the old ones.

dpk wrote:

Phleum:

I would also like to know what "no open base directory limitations" is about.
...

This feature is independant of safemode, and can be configured on a per site basis in httpd.conf and files incldued by http.conf, as well as in php.ini .

Some versions of Plesk do it by default, and it allows to restrict from which directories files can be included by PHP (it basically avoids cross-site code-files includes).

For full explanation: Search for 2nd occurence of "open_basedir" in:

ch2.php.net/manual/en/features.safe-mode.php

Phleum wrote:

My host is taking care of the first two conditions for me (or rather proving me instructoins how). They are looking for a clirification on

3) no open base directory limitations set
4) php code directories have write permissions from web-server process

Their questions: "We are not sure what is meant by these statements. What type of limitations they refer to? What do they mean by write permissions from web-server process?"

And a statement: "About the write permissions - perhaps they refer to world-writable permissions, which would allow other users on the server to write in the directories. You should note that our servers run SuExec and such permissions are not necessary on our servers and would actually not work, so if this is what they refer to, you should not worry about it."

Since this means nothing to me, I'm hoping someone here can help. My site did get hacked; now I'm just mopping up.

ok.:
1) is the most important one, good
3) I replied just above
4) :

a) We are meaning the "others" (world-write, write by anyone), if your web-server is running as part of the "others" in the files permissions.

b) if your web-server is running as part of the "group(s)" assigned to the files, we are meaning the "group" file permissions (and obviously others should be non-writable/non-readable)

c) if you are using SuExec to assign to the web-server the same userId as your FTP/console user id, then you are in some ways better protected and in some ways less protected. Meaning: the web-server is also "owner" of all the files, and gets "user" file permissions.

d) very best would be the webserver to do SuExec to a different userId than yours, which is part of the "group" of your files only. There you can set the right file "write" permissions: meaning read-only for directories and files containing code (except during extensions installs) and rw for temp directories like cache and media, and user-upload dirs like images/comprofiler