Answered 2 security issues: CHMOD / Register Globals

1. I just uploaded and installed the new version of Rev (2.1.5) to a Unix-based hosting account with Network Solutions. The CHMOD settings on (I believe) all of the directories, by default, was 2775. Is this an issue with Rev 2.1.5, or is it some strange interaction with Network Solutions servers? Anyway, I have been manually going in and changing directory settings to 755, but I just want to be sure that I am doing the right thing here. Also, is it critical to change all directory settings, or (in the interest of not having to scour the entire directory structure) can I safely leave many of the CHMOD settings as they are?

2. The following warning is on my site dashboard:

One or more configuration details didn't check out OK: Configuration warning: register_globals is set to ON in your php.ini configuration file

I removed the '#' from '#php_flag register_globals Off' in the default MODx .htaccess file, but that just crashed the site. I then tried loading a php5.ini file to the root and all sub directories, but that did not do the trick either. Ugh.

Thanks. [ed. note: djembe last edited this post 12 years, 4 months ago.]

Update: Managed to turn the Register Globals off. Created a php.ini file and loaded it to the cgi-bin directory. The only line in the file was: . Worked like a charm. This takes care of #2 above.

Now, I am still baffled by #1 above. Why, by default, did all of the site directories loaded with insanely low security settings (namely -- 2775)?

Hello,

I am unsure why the Network Solution servers would change the file permission as indicated, that would be a good question for their support. Depending on their server configuration that could be the required permission.

In regards to the Register Globals issue, I'm glad to hear you figured it out.

Thanks for the reply AMDbuilder. Yeah, I spoke with the support folks at NS, but they did not provide me with a response that was all that helpful: they just kept telling me that I can change the settings myself.

I have actually been changing a lot of the directories back down to 755. It is a laborious task though. Do you know what the real liabilities are if I leave some of the deeply-nested directories with the 2775 CHMOD settings?

I can't comment on their configuration and what if any risk that configuration will have on your site. I am guessing that you will be fine as that's their default configuration. Our default configuration is 644/755, which works best with our configuration.

If you are concerned with the configuration, my only suggestion would be to switch hosting to another provider.

Yeah, I was all for switching to another provider, but my client is locked into NS for now and kept 'urging' me to get the site to run on their servers.

Do you have any general remarks on making a Rev site more secure? For instance, do you think it is worthwhile to mess with the .htaccess file at the root in order to restrict access to certain directories? Any other security suggestions to consider? I am fairly inexperienced when it comes to security matters. I use MODx with the assumption that a standard install will keep the site fairly locked down, but perhaps I am being naive and should be implementing secondary measures.

Thanks again AMDbuilder -- really appreciate your feedback.

You will find that MODX unlike most other systems doesn't require a lot of extra security, by default you should be very secure. The extra steps you can take to improve security would be moving the core outside of the web root, or at the least renaming the ht.access file within the core directory to .htaccess.

Your client shouldn't be locked into their services, unless they prepaid multiple years in advance for their hosting. They would lose the prepaid time for their hosting, but the domain registration can't be lost.

Thanks again AMDbuilder. I finally managed to get the site up and running, so, for now, I guess I will leave it where it is. But yeah, I just spoke with a rep at Network Solutions and they told me that they change all directory CHMOD to 2775 by default. Sure makes a MODx installation tricky, because you then need to go in and change everything by hand. (And a global recursive switch won't work because the directories and files are supposed to have different default chmod settings.)

Anyway, I am a bit reluctant to move the core right now. My sense is that all sorts of other sub-procedures would have to then take place, and if this site breaks one more time I may jump out of a window. I may see what happens if I rename the ht.access file within the core though (that can't irreparably break a site, can it?)

Finally, how secure is the administrative login in Rev. The rep at NS was saying the the login credentials might not be secure on that without additional measures (ssl?). Intuition tells me that MODx has already made login into the site manager pretty secure, but I would like to be sure.

Thanks much AMDbuilder -- you have been very helpful.

Hello,

I seam to be a good job missing responses this week!

If you move the core above the web root you would need to update the config settings (core.config.php) in a few locations along with a database reference. It's not difficult to do, but if you have things working leaving it alone is understandable.

I would rename the ht.access within the core folder at the least. It should prevent any direct web access to the folder, which isn't needed. It will not break the website, and if for some odd reason it does, just rename it back to ht.access.

I haven't heard of any Revo sites being hacked, so I would guess it's fairly secure. Granted your password strength determines the strength of your site as a whole, so just pick a strong password and you should be fine.

If you have any problems just speak up, and someone will be along to help you.

Well, it has been a holiday week, so 'missing responses' is certainly understandable (not that you have any obligation to respond in the first place). Anyway, again, thanks much for all of the helpful info. As you suggested, I renamed the ht.access file in the core folder and instituted a pretty rich password, so I am cautiously optimistic that the site is fairly secure at this point.