Re: installiing joomla

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sun, 2013-09-15 at 21:37 +1000, Roger wrote:
> I solved it by:
> cd /var/www/html
> sudo mkdir tester

Ugh...  Make special areas (whether they be virtual hosts, or writable
areas, etc.) outside of the tree.  By way of example, you don't want
someone to be able to navigate into a virtual host by simply appending
the directory name to the end of some other website address.

e.g.  /var/www/html       (default website)
      /var/www/html/bad   (a badly filepathed virtual host)
      /var/www/better     (a better filepathed virtual host)

Let's say the first one is www.example.com, the second one is where
bad.example.com is served from, and the third is better.example.com.

I can get into bad.example.com by browsing www.example.com/bad

That's a bad idea if they're meant to be completely independent sites.
It also means you need to make up extra rules, to cover filepaths and
URIs, for each of the ways someone could access them, if you need to
impose restrictions on the /bad files differently from the default
website.  Otherwise, someone can sidestep your rules.  And break
anything that relies on them using the right URIs.

Contrariwise, I cannot get into better.example.com from any other
address, I have to enter it via its own address.

As I'm sure others have explained, writable areas should be kept
separate, in a similar fashion (outside of the tree).  Applications that
write should only be able to write to their own special places.  The
server should read from them, probably using that application in the
middle, to process the data.  You don't want someone to be able to
directly access the data, unless it's meant to be directly accessible.

If you have some application that insists you run your server in a
vulnerable manner, ditch it.  A shiny interface to a turd, is still an
interface to a turd.

Way OT:  I've spent the last week surrounded by cows, sheep, and
woodcutters in our state fair, so haven't had a chance to do much
emailing.  For what it's worth, Fedora was used to reliably give the
counts to start our races for the last week.  Using a tiny script I
wrote to give the officials a one-button start/stop remote control to
mplayer playing an ogg file.

-- 
[tim@localhost ~]$ uname -r
2.6.27.25-78.2.56.fc9.i686

Don't send private replies to my address, the mailbox is ignored.  I
read messages from the public lists.



-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux