security: WSN Support

Version: 3.15

security

fuee
Forum Regular

Usergroup: Customer
Joined: Nov 01, 2004
Total Topics: 56
Total Posts: 121

Posted 05/24/05 - 08:56 PM:	#1
How can I increase my admin security? My File Upload Path under system configuration and Directory URL in the admin panel have been changed twice in the past two months and it is not by me. I have changed my admin file since the first time and now it happened again. I am not sure if someone hacked in to my account or if its a bug. Has anyone else experience this problem? 1) I use www.yoursite.com for directory url and the www was striped below to yoursite.com Directory URL: The location of your links directory. Exclude trailing '/'. Example: http://www.yoursite.com now became http://yoursite.com 2) My path is striped of the back slash and all the letters were not separated except a back slash at the end. File Upload Path: The full path (not URL) of your attachments directory. Include trailing / or \. Best guess: it's probably /www/f/fd/yoursite.com/admin now became wwwffdyoursite.comadmin/ Thanks, Fuee Edited by fuee on 05/25/05 - 06:17 AM. Reason: Provide detail information

Paul
Administrator

Usergroup: Administrator
Joined: Dec 21, 2001
Location: Northern California
Total Topics: 57
Total Posts: 6316

Posted 05/25/05 - 12:28 PM:	#2
The changing has nothing to with security. If somebody hacked you, they would find more things to do than simply remove slashes. It is a known issue that slashes occasionally vanish from the file path. I've not yet seen a pattern to indicate when/how this happens, except it seems kind of like it happens to me around when the server is rebooted. 3.20 allows specification of $uploadpath = '/www/...'; in config.php to prevent such issues, but 3.15 doesn't. The www removal I have never seen or heard about.
"Do things you love doing, because then it ain't work. Don't do something you don't really enjoy, because you're never going to work hard enough at it." - Bob Young, founder of Red Hat

fuee
Forum Regular

Usergroup: Customer
Joined: Nov 01, 2004
Total Topics: 56
Total Posts: 121

Posted 05/26/05 - 08:49 PM:	#3
Paul wrote: The changing has nothing to with security. If somebody hacked you, they would find more things to do than simply remove slashes. It is a known issue that slashes occasionally vanish from the file path. I've not yet seen a pattern to indicate when/how this happens, except it seems kind of like it happens to me around when the server is rebooted. 3.20 allows specification of $uploadpath = '/www/...'; in config.php to prevent such issues, but 3.15 doesn't. The www removal I have never seen or heard about. Paul, Is it possible for me to just update only the admin files in the upgrade to 3.20 so i can correct this error and receive any additional benifits with the admin changes you have made? I rather not update to the new templates since I am sastified with my current template layout. Thanks, Fuee

Paul
Administrator

Usergroup: Administrator
Joined: Dec 21, 2001
Location: Northern California
Total Topics: 57
Total Posts: 6316

Posted 05/26/05 - 09:42 PM:	#4
The admin files rely on other files. But no templates actually have to be overwritten as far as I am aware except admin panel templates. However, 3.20 is experimental and thus is likely to have bugs so you'd be sacrificing stability.
"Do things you love doing, because then it ain't work. Don't do something you don't really enjoy, because you're never going to work hard enough at it." - Bob Young, founder of Red Hat

Paul
Administrator

Usergroup: Administrator
Joined: Dec 21, 2001
Location: Northern California
Total Topics: 57
Total Posts: 6316

Posted 05/28/05 - 05:13 PM:	#5
Bad memory here on my part it seems. On check, the option is actually in 3.15 already. Just add these lines to your config.php (inside the php area): $dirurl = 'http://yoururl.com'; $uploadpath = '/your/file/path/';
"Do things you love doing, because then it ain't work. Don't do something you don't really enjoy, because you're never going to work hard enough at it." - Bob Young, founder of Red Hat

You don't have permission to post.