Security implications without apache overrides?

Having trouble installing serendipity?
Post Reply
robw
Regular
Posts: 20
Joined: Thu Mar 30, 2006 3:05 pm
Contact:
Contact robw

Security implications without apache overrides?

Post by robw »

I am working on a new s9y install, but the host does not allow certain .htaccess overrides - I have had to comment out all the following in the main s9y .htaccess file order to get the blog to run:

Code: Select all

#ErrorDocument 404 /blog/index.php
#DirectoryIndex /blog/index.php
#php_value session.use_trans_sid 0
#php_value register_globals off

#<Files *.tpl.php>
#    deny from all
#</Files>

#<Files *.tpl>
#    deny from all
#</Files>

#<Files *.sql>
#    deny from all
#</Files>

#<Files *.inc.php>
#    deny from all
#</Files>

#<Files *.db>
#    deny from all
#</Files>
What are the security implications of leaving these off? Does s9y become very vunerable with register globals on, and these file restrictions ignored, or are these just to be extra safe?

Should I recommend switching to another host?

Cheers
Rob
Top
garvinhicking
Core Developer
Posts: 30022
Joined: Tue Sep 16, 2003 9:45 pm
Location: Cologne, Germany
Contact:
Contact garvinhicking

Re: Security implications without apache overrides?

Post by garvinhicking »

Hi!

The 'use_trans_sid' option, if enabled, would lead to Session disclosure on your blog and make attacks on people's sessions a lot easier.

Register_globals being set to 'on' can make code inclusion a lot easier.

Being able to read *.tpl or *.tpl.php files doesn't really put any security risks in place, but it will allow people to get the source of your template files, and you can't protect your template code this way.

.sql files are noncritical, since they could also be gotten via a simple s9y release file.

The *.db thing would be VERY critical if you were using SQLite as the DB storage of your blog.
What are the security implications of leaving these off? Does s9y become very vunerable with register globals on, and these file restrictions ignored, or are these just to be extra safe?
s9y was developed with register_globals possibly set to 'On' in mind. So we do try to initialize all global variables first, preventing injections as good as possible. However, any external plugins might not be so carful - and exploits in the past to the $serendipity superglobal variable have shown that they would have been prevented by register_globals=Off...

Best regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
Top
robw
Regular
Posts: 20
Joined: Thu Mar 30, 2006 3:05 pm
Contact:
Contact robw

Post by robw »

Thanks Garvin,

I have since set the trans_sid via an ini_set() in the s9y local config, so this is not an issue, but shame we cannot set register globals there...

Hmm... so in summary, there is some risk with register globals on, but mostly from plugins which may not be coded properly.

Will see what they want to do :)

Cheers
Rob
Top
Post Reply

Return to “Installation”