Serendipity Forums

I am working on a new s9y install, but the host does not allow certain .htaccess overrides - I have had to comment out all the following in the main s9y .htaccess file order to get the blog to run:
What are the security implications of leaving these off? Does s9y become very vunerable with register globals on, and these file restrictions ignored, or are these just to be extra safe?

Should I recommend switching to another host?

Cheers
Rob

Hi!

The 'use_trans_sid' option, if enabled, would lead to Session disclosure on your blog and make attacks on people's sessions a lot easier.

Register_globals being set to 'on' can make code inclusion a lot easier.

Being able to read *.tpl or *.tpl.php files doesn't really put any security risks in place, but it will allow people to get the source of your template files, and you can't protect your template code this way.

.sql files are noncritical, since they could also be gotten via a simple s9y release file.

The *.db thing would be VERY critical if you were using SQLite as the DB storage of your blog.

What are the security implications of leaving these off? Does s9y become very vunerable with register globals on, and these file restrictions ignored, or are these just to be extra safe?

s9y was developed with register_globals possibly set to 'On' in mind. So we do try to initialize all global variables first, preventing injections as good as possible. However, any external plugins might not be so carful - and exploits in the past to the $serendipity superglobal variable have shown that they would have been prevented by register_globals=Off...

Best regards,
Garvin

Thanks Garvin,

I have since set the trans_sid via an ini_set() in the s9y local config, so this is not an issue, but shame we cannot set register globals there...

Hmm... so in summary, there is some risk with register globals on, but mostly from plugins which may not be coded properly.

Will see what they want to do

Cheers
Rob