website security

 
Post new topic   Reply to topic    Aprelium Forum Index -> SSL/Certificates
View previous topic :: View next topic  
Author Message
jscjso
-


Joined: 27 May 2008
Posts: 15

PostPosted: Tue May 27, 2008 11:57 pm    Post subject: website security Reply with quote

Hi,

I read through the forum and could not find anything addressing to my concern.

I am using Window Vista, I wonder how secure my Abyss Web Server set up is. Here is my setting and concern:

- I clicked the Enable Automatic Anit-Hacking Protection in Server configuration.
- I only keep one index file, index.html, in the Index Files in my Host configuration setting.
- I selected Disabled in Directory Listing in Host configuaration.
- all my scripts and data files are in htdocs directory and its subdirectories.

Since the index.html source can be viewed by any browser, anyone can see the pl and html script links the index.html pointing to. Anyone can also see the data filenames and script filenames through the index.html. People can type the URL with the specific filename found in my index.html and access directly to essential all files linked in index.html.

Can hackers use this visibility to copy or view the data files and the pl and html scripts in the htdocs directory?

If I do not select Disabled in Directory Listing, it seems to be even worst because the whole directory listing is shown if index.html does not exist. People can even navigate around the subdirectories and open them.

Pleaes help, my goal is to allow people to execute the index.html and other scripts per the index.html links. But not to allow people to view the pl file source, the data file, and the subdirectories.

jscjso
Back to top View user's profile Send private message
etorvinen
-


Joined: 02 Jan 2005
Posts: 31

PostPosted: Tue Nov 11, 2008 6:39 am    Post subject: Reply with quote

I don't know if this helps but...

the Anti-Leeching Feature Comes in handy.

Just set the directory you want to protect then
make sure (Refuse Requests with no "Referer" Header) checkbox is checked.
_________________
;@
Back to top View user's profile Send private message
Axis
-


Joined: 29 Sep 2003
Posts: 336

PostPosted: Tue Nov 11, 2008 5:00 pm    Post subject: Reply with quote

jscjso--

You can either disable directory listings for the folders in question or simply put a "return to www.xxx.com" index.html file in the folders in question.

Regards,
Axis


Last edited by Axis on Thu Oct 31, 2013 5:26 pm; edited 1 time in total
Back to top View user's profile Send private message
jscjso
-


Joined: 27 May 2008
Posts: 15

PostPosted: Thu Nov 13, 2008 3:28 am    Post subject: Reply with quote

Etorvinen, Axis,

Thanks for your suggestions.


jscjso
Back to top View user's profile Send private message
DonQuichote
-


Joined: 24 Dec 2006
Posts: 68
Location: The Netherlands

PostPosted: Thu Nov 13, 2008 3:10 pm    Post subject: Re: website security Reply with quote

jscjso wrote:
- all my scripts and data files are in htdocs directory and its subdirectories.


That is what I do not want in a secure system, because all the scripts can be called directly. Even the ones that should only be included by another script. Calling an "inclusion" script directly can lead to a few problems:

  • The script could actually do something, like re-initializing a database or cleaning up an error log.
  • The script may lack references to other code and fail with all too clear error messages. If you are unlucky, contents of variables and queries could be shown. Very useful to hackers!
  • You should be able to control what can be called from outside and what is only for internal use.

So my site has most code outside of the web root. In fact, the web root itself contains little more than calls to the code outside the web root. For my setup, see http://www.howtoforge.org/set-up-a-modular-svn-repository-for-php-websites

The above story also reveals another security consideration: Error showing should always be set to maximum teasing and nit-picking on development machines, and set to silent on production servers.
This means that on a production server the errors must not show. They should be logged, send to the developer or whatever.
Back to top View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Aprelium Forum Index -> SSL/Certificates All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB phpBB Group