Subscribe: RSS
  • http://wiki.modxcms.com/index.php/Securing_your_site

    I followed these instructions, although it became quite clear to me that this wiki page has not been updated in many years, as some of the instructions don’t actually correlate with the files in modx.

    That being said, I can no longer log into my site, and am being met with the following php error messages:


    PHP Error Message

    Warning: include_once(config.inc.php) [function.include-once]: failed to open stream: No such file or directory in /home/a8390429/public_html/manager/index.php on line 129

    PHP Error Message

    Warning: include_once() [function.include]: Failed opening ’config.inc.php’ for inclusion (include_path=’.:/usr/lib/php:/usr/local/lib/php:/home/a8390429/public_html/manager/includes/’) in /home/a8390429/public_html/manager/index.php on line 129


    PHP Error Message

    Warning: include_once(MODX_BASE_PATHmanager/includes/extenders/dbapi..class.inc.php) [function.include-once]: failed to open stream: No such file or directory in /home/a8390429/public_html/manager/includes/document.parser.class.inc.php on line 39


    PHP Error Message

    Warning: include_once() [function.include]: Failed opening ’MODX_BASE_PATHmanager/includes/extenders/dbapi..class.inc.php’ for inclusion (include_path=’.:/usr/lib/php:/usr/local/lib/php:/home/a8390429/public_html/manager/includes/’) in /home/a8390429/public_html/manager/includes/document.parser.class.inc.php on line 39

    • As you stated that is old documentation so just put back your original files.

      If you run suPHP and PHPSuexec /fastCGI (php info) the folders will be set 755/644
      anyway. smiley
        @hawproductions | http://mrhaw.com/
      • If it is old documentation, can you please get the moderators to delete the page. It simply wastes peoples time and can really mess up a persons site.

        That being said, I’ve now changed back the permissions- well I think I have.

        May I ask where up to date documentation exists on how to secure your site?
        • Since it’s a community maintained wiki, and is editable by end users, maybe something more productive would be to update it rather than nuking content outright. Would be a great way to give back to the community in fact.
            Ryan Thrash, MODX Co-Founder & Leader of Awesomeness
            Follow me on Twitter at @rthrash or catch my occasional unofficial thoughts at thrash.me
          • I’ll see if I can collect bunch of info into a thread... smiley
              @hawproductions | http://mrhaw.com/
            • Thanks, that would be very helpful. It’s confusing for newbs like me who don’t know what they’re doing to follow out of date instructions.
              • Does anyone know where exactly in the manager folder is the instructions referring to? Is it talking about copying the code into the .htacess file already in the manager folder, or creating a new php file or .htacess file within the manager folder to put the code below in?


                http://svn.modxcms.com/docs/display/MODx096/Friendly+URL+Solutions

                Manager Protection

                If you would like to limit the manager to being accessed by only a specific IP address, but need access to some things on the public site like the captcha, use the following. Make sure this goes inside the Manager directory: (?????)


                1. # Allow manager access to specific IPs only
                2.
                3. Options +FollowSymlinks
                4. RewriteEngine On
                5.
                6. # Deny by IP. The IP address(es) listed will get through.
                7. RewriteCond %{REMOTE_ADDR} !^(192\.168\.0\.128)$
                8. RewriteCond %{REQUEST_FILENAME} !/includes/veriword\.php$
                9. RewriteRule ^(.*)$ ../index.php?q=$1 [L,QSA]
                • Correct! Set ip and paste it into the ht.access in manager folder and rename the file to .htaccess
                  + you might have to change htaccess in root folder
                  from
                  RewriteRule ^(manager|assets) - [L]  

                  to
                  RewriteRule ^assets - [L]  
                    @hawproductions | http://mrhaw.com/
                  • Quote from: rthrash at Oct 02, 2009, 08:54 AM

                    Since it’s a community maintained wiki, and is editable by end users, maybe something more productive would be to update it rather than nuking content outright. Would be a great way to give back to the community in fact.

                    Sorry, I didn’t realise that anyone could ammend the wiki page.

                    I have signed up for a wiki account and have made several ammendments to the wiki page- particularly on the installation and modx security page.

                    And yes- it does feel great to give back to the community!
                    • Burp to malicious scripts:
                      http://modxcms.com/forums/index.php?topic=33783.0

                      Disable directory index file and folder listings:
                      Options -Indexes


                      Upgrade eForm snippet:
                      http://modxcms.com/forums/index.php/topic,38336.msg231879.html#msg231879

                      Block spam bots from WebSignup snippet:
                      http://modxcms.com/forums/index.php/topic,34174.msg207863.html#msg207863

                      More to come...
                        @hawproductions | http://mrhaw.com/