PEAK XOOPS - Protector Queries X 3 
Protector Queries X 3
- You cannot open a new topic into this forum
- Guests cannot post into this forum
Previous post
-
Next post
|
Parent
-
Children.1
|
Posted on 2005/1/2 1:00
tedsmith
Posts: 64
Posts: 64
I have just installed Protector having read much of GIJOEs comments about security - thanks for making me aware GIJOE.
I have a couple of questions...
Firstly, it says :
"Turn "Protector block" on and put the block top of left side by blocks admin."
How do I do that? Is it necessary?
Secondly, the ReadMe talks about permissions as follows :
"Turn the block's permission on to all groups by groups admin. You can do that easily by using Blocks&Groups Admin of Protector."
Can I confirm that it means I have to ALLOW access by my user groups to the module? Currently, I have set all of my user groups to have access to 'Protector' but not 'Xoops Protector Module Access rights' or 'Xoops Protector Module Admin rights'. Is this correct?
Thirdly, I have set the rescue password, and then I saw the 'Check if Protector Works Well' in Security Advisory. However, I hover the mouse over it and nothing happens - it just appears to be text. Is this correct or is it a bug or something?
I'd really appreciate help with these three things for clarification. Thanks
Ted
I have a couple of questions...
Firstly, it says :
"Turn "Protector block" on and put the block top of left side by blocks admin."
How do I do that? Is it necessary?
Secondly, the ReadMe talks about permissions as follows :
"Turn the block's permission on to all groups by groups admin. You can do that easily by using Blocks&Groups Admin of Protector."
Can I confirm that it means I have to ALLOW access by my user groups to the module? Currently, I have set all of my user groups to have access to 'Protector' but not 'Xoops Protector Module Access rights' or 'Xoops Protector Module Admin rights'. Is this correct?
Thirdly, I have set the rescue password, and then I saw the 'Check if Protector Works Well' in Security Advisory. However, I hover the mouse over it and nothing happens - it just appears to be text. Is this correct or is it a bug or something?
I'd really appreciate help with these three things for clarification. Thanks
Ted
Votes:1
Average:0.00
GIJOE
Posts: 4110
Posts: 4110
hi Ted.
Quote:Since this module has myblocksadmin, it is too easy to do so.
- Go to blocks&groups in Protector's admin.
- On the top half, click left in Side, set 0 in Weight, and submit.
- On the bottom harf, click All, then submit.
That's all.
Quote:
It sounds a problem of browser specific.
At least, IE5, IE6, Opera displays well.
Quote:
Firstly, it says :
"Turn "Protector block" on and put the block top of left side by blocks admin."
How do I do that? Is it necessary?
Secondly, the ReadMe talks about permissions as follows :
"Turn the block's permission on to all groups by groups admin. You can do that easily by using Blocks&Groups Admin of Protector."
- Go to blocks&groups in Protector's admin.
- On the top half, click left in Side, set 0 in Weight, and submit.
- On the bottom harf, click All, then submit.
That's all.
Quote:
Thirdly, I have set the rescue password, and then I saw the 'Check if Protector Works Well' in Security Advisory. However, I hover the mouse over it and nothing happens - it just appears to be text. Is this correct or is it a bug or something?
It sounds a problem of browser specific.
At least, IE5, IE6, Opera displays well.
Votes:1
Average:10.00
tedsmith
Posts: 64
Posts: 64
Thanks again for your help GIJOE.
I found the answer to this in the end - originally I had set my 'password for rescue' using FireFox. However, FireFox perhaps did not handle it properly because in the end I accessed the module admin using IE and set the password again. After that, it worked great, and the links showed up properly and I was able to test everything so I am now safe! Hooray!
I found the answer to this in the end - originally I had set my 'password for rescue' using FireFox. However, FireFox perhaps did not handle it properly because in the end I accessed the module admin using IE and set the password again. After that, it worked great, and the links showed up properly and I was able to test everything so I am now safe! Hooray!
Votes:1
Average:10.00
brashquido
Posts: 18
Posts: 18
Hi GIJOE,
Sorry for being a pain in the butt, but I want to be 100% clear here. My site was hacked last week with an SQL injection attack (hence why I'm installing protector) and I am really wanting to make sure I have this totally correct.
Quote:
When setting the permissions for Protector, is it necessary to select ALL, or can you just select the protector block for each group (apart from webmaster which should have all access).
I suppose my question is are there any security issues with granting all permissions as it would give the module admin permission to all users, and if so what are the minimum permissions needed to have protector work?
Also, do you need to set the proctor block to be displayed on all pages, or is just having it on the top page enough? Just thinking for visitors not entering via the front page might not go through protector otherwise.
Sorry for being a pain in the butt, but I want to be 100% clear here. My site was hacked last week with an SQL injection attack (hence why I'm installing protector) and I am really wanting to make sure I have this totally correct.
Quote:
GIJOE wrote:
- Go to blocks&groups in Protector's admin.
- On the top half, click left in Side, set 0 in Weight, and submit.
- On the bottom harf, click All, then submit.
That's all.
When setting the permissions for Protector, is it necessary to select ALL, or can you just select the protector block for each group (apart from webmaster which should have all access).
I suppose my question is are there any security issues with granting all permissions as it would give the module admin permission to all users, and if so what are the minimum permissions needed to have protector work?
Also, do you need to set the proctor block to be displayed on all pages, or is just having it on the top page enough? Just thinking for visitors not entering via the front page might not go through protector otherwise.
Votes:1
Average:0.00
jseymour
From: Gainesville Florida, USA
Posts: 40
From: Gainesville Florida, USA
Posts: 40
I'll just drop this quick tip, the users need module access rights, no need for module admin rights exept for webmaster. 
Good luck in setting up brash, and if it does stop an attack on your site please post the details.
Good luck in setting up brash, and if it does stop an attack on your site please post the details.
Votes:1
Average:0.00
brashquido
Posts: 18
Posts: 18
Ok, just answered my first question. Clicking the ALL button doesn't actually select all the permissions, only the required ones. Perhaps if that button was renamed to something like 'Recommended Permissions' it would be a bit clearer.
I'll try and do some testing regarding my second question
I'll try and do some testing regarding my second question
Votes:0
Average:0.00
GIJOE
Posts: 4110
Posts: 4110
hi brash.
Quote:The reason why the button is named 'ALL' is caused by language problem.
There are no proper constants like "Recommended" in language/(language)/global.php
Although I've just read your post in www.xoops.org , I don't think it is the result of SQL Injection attack.
Usually, crackers try to get the password by SQL Injection.
It is not so interesting for crackers to duplicate some records, I guess.
Anyway, you'd better check the access log.
finding /* is good way.
*/
Quote:
Ok, just answered my first question. Clicking the ALL button doesn't actually select all the permissions, only the required ones. Perhaps if that button was renamed to something like 'Recommended Permissions' it would be a bit clearer.
There are no proper constants like "Recommended" in language/(language)/global.php
Although I've just read your post in www.xoops.org , I don't think it is the result of SQL Injection attack.
Usually, crackers try to get the password by SQL Injection.
It is not so interesting for crackers to duplicate some records, I guess.
Anyway, you'd better check the access log.
finding /* is good way.
*/
Votes:1
Average:0.00
Previous post
-
Next post
|
Parent
-
No child
|
Posted on 2005/1/5 11:55
jseymour
From: Gainesville Florida, USA
Posts: 40
From: Gainesville Florida, USA
Posts: 40
Yes the block should be set to visible to all pages.
Votes:1
Average:0.00
GIJOE
Posts: 4110
Posts: 4110
Quote:There are no need module access rights.
Only block access rights is necessary.
But it does not matter if this is set as on or off.
"modules access rights" for Protector has non sense.
Then all you have to do is click 'All'.
It'll makes the recommended setting automatically.
jseymour wrote:
I'll just drop this quick tip, the users need module access rights, no need for module admin rights exept for webmaster.
Only block access rights is necessary.
But it does not matter if this is set as on or off.
"modules access rights" for Protector has non sense.
Then all you have to do is click 'All'.
It'll makes the recommended setting automatically.
Votes:0
Average:0.00
Login