Current time: 12-13-2019, 02:33 AM Hello There, Guest! (LoginRegister)


Post Reply 
Probably a security hole!
Author Message
koko92_national Offline
Junior Member
*

Posts: 70
Joined: Jul 2008
Reputation: 0
Post: #1
Probably a security hole!
Log on in the panel as a client and then enter in the url:
themes/omega_original/admin/index.tpl

Notice that you can see the admin templates! I'm not sure if this is a security hole but still it is not right to look at the admin templates.
03-20-2010 11:34 PM
Find all posts by this user Quote this message in a reply
Nuxwin
Unregistered

 
Post: #2
RE: Probably a security hole!
Hello ;

It's not a security hole because that is not a real view script but just a template that contain replacement variables. But right now, the better is to hide the raw content of these.

Best Regards
03-20-2010 11:53 PM
Quote this message in a reply
kilburn Offline
Development Team
*****
Dev Team

Posts: 2,182
Joined: Feb 2007
Reputation: 34
Post: #3
RE: Probably a security hole!
Maybe we could add an .htaccess in the "templates" directory, stating:
Code:
deny from all
03-21-2010 07:59 PM
Visit this user's website Find all posts by this user Quote this message in a reply
Nuxwin
Unregistered

 
Post: #4
RE: Probably a security hole!
Hello Marc ;

Why not, but we can also act as Zend no ?
03-21-2010 08:13 PM
Quote this message in a reply
kilburn Offline
Development Team
*****
Dev Team

Posts: 2,182
Joined: Feb 2007
Reputation: 34
Post: #5
RE: Probably a security hole!
I don't know what you mean by "acting like Zend" nux :?
03-21-2010 08:39 PM
Visit this user's website Find all posts by this user Quote this message in a reply
Nuxwin
Unregistered

 
Post: #6
RE: Probably a security hole!
Sorry Marc :

Separate public directory for reachable files (css, images, js, index.php) and all others not inside the DocumentRoot.
03-21-2010 08:54 PM
Quote this message in a reply
ephigenie Offline
Project Leader
*******
Administrators

Posts: 1,578
Joined: Oct 2006
Reputation: 15
Post: #7
RE: Probably a security hole!
+1 for this - this would be a much better approach (no non-public visible files & libraries below document_root )
03-22-2010 10:18 PM
Visit this user's website Find all posts by this user Quote this message in a reply
kassah Offline
Junior Member
*

Posts: 46
Joined: Oct 2010
Reputation: 1
Post: #8
RE: Probably a security hole!
it's not a bad idea, I've always wondered about programs constantly putting their code in /var/www/ which is the default root directory of most apache servers by default. I would think this would be a liability if somehow the configs got reverted to package defaults without PHP (thus showing off php sources). I'd have to look it up, but I'd swear there was a case made public on slashdot where a company's records were put up for all the public to see because of a similar error to the case presented in my post.

This is why I've always used /srv for that, I have no idea if that's the "proper" use of that directory. It could be I'm ignorent and it's apart of the LSB spec.
(This post was last modified: 10-31-2010 02:34 AM by kassah.)
10-31-2010 02:29 AM
Find all posts by this user Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)