search

twhite3000 / vqmod

Automatically exported from code.google.com/p/vqmod
0 stars 0 forks source link

Basic Security additions #40

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
All directories should include an empty index.html file, or one that redirects.

A define should be included in the main index.html and checked in the vqmod.php 
to ensure that vqmod isn't called directly.

What is the expected output? What do you see instead?

vQmod Version: 2.1.6
Server Operating System: All

misconfigured Apache instances or improper installations can allow an attacker 
to see the contents of the vqmod directories/xml directories.  A simple fix is 
to include a blank index.html file which will keep apache from showing 
directory contents.  

Adding a define at the top of the main index.php and admin/index.php:

   define('_VQMOD',1);

and a line at the top of the vqmod.php:

   if defined('_VQMOD') or die;

will keep vqmod from being an entrypoint for running other php files.

Original issue reported on code.google.com by bassmeis...@gmail.com on 28 May 2012 at 3:22

GoogleCodeExporter commented 9 years ago 
that should be index.php on line 2.  :)

Original comment by bassmeis...@gmail.com on 28 May 2012 at 3:23

GoogleCodeExporter commented 9 years ago 
Well I'm not really sure as to how beneficial your above suggestions are to be 
honest. The .htaccess file prevents any indexes from showing and has deny on 
any .xml files to prevent unauthorised guessing of .xml files

Original comment by DJG6...@gmail.com on 28 May 2012 at 10:48

GoogleCodeExporter commented 9 years ago 
fyi, the htaccess in the last version I downloaded contained only one line:

#Prevent Directory Listing

Original comment by bassmeis...@gmail.com on 30 May 2012 at 11:14

GoogleCodeExporter commented 9 years ago 
These ideas are from the Joomla project, I've watched a lot of exploits happen 
in third party plugins because of simple fixes like these that weren't 
included.  Not every host can be set up to use mod_rewrite, and if someone 
unzips the file then copies it, the htaccess file won't get copied since it's 
hidden.

Original comment by bassmeis...@gmail.com on 30 May 2012 at 11:18

GoogleCodeExporter commented 9 years ago

Original comment by DJG6...@gmail.com on 5 Sep 2012 at 8:44