Quote from: toti at Jan 30, 2006, 04:10 PM
But, just to give you an example of the bad thing in the code (so that anybody knows with cms you are using) is that the path to "manager" is hard-coded just about everywhere in the code (the good way would be define it in a constant).
[..]The same apply with "assets" (which is very particular to Etomite / Modx) and many other directories (like the snippets’ one that has nothing to do in publicly designed folder).
First of all thank you for beeing aware of security, your recommendations are good, but I think the thing with pathnames goes more into webserver security. On most apache configurations a simple .htaccess file with "Deny from all" would protect your directories with php include files (say "snippets" or "plugins") in a reliable way.
To enhance security furthermore, you could apply the following directive to the document root of your website:
<Files "*.inc.php">
Order allow,deny
Deny from all
</Files>
That would prevent php-code from beeing displayed in case the php engine died/is not running.
Anyway, I like the idea of renaming "manager" to something else - that would be a nice feature. Nevertheless I think the right way subject to security would be to continue making backend login even safer, so that it doesn’t count if someone knows the path or not.
Again, thank you for your support. Please feel free to contact me for any ideas and suggestions related to security.