Hi All,
Great module, don't know why I hadn't looked at this before. Just wanting to verify something from under the Security Advisory page. It says the 'XOOPS_DB_PREFIX' of 'xoops' is not secure, and I was just wondering what we should be looking at changing this to so as to secure this? Thanks for your help
After install it is hard to change as I understand. Ideally just anything nonstandard. Any cracker that knows Xoops knows that the prefix by default is xoops_ . Just gives something else for him to guess.
I was thinking as much. I suppose an alpha-numeric combination of half a dozen or so characters with upper and lowercase should be sufficient? I suppose my real question is how far you should go before you consider yourself secure? Is half a dozen characters enough, should it be more?
Indeed. I would expect that 6 chars combined with upper\lower\grammer text would be quite sufficient - you'd have to have a good cracker to get round that.
My question is how do you change that prefix? Mine says xoops, and I remeber being asked during set-up, but can you change it afterwards and if so how?
I'll implement the feature of changing XOOPS_DB_PREFIX into Protector.
But if you want immediately, try Marijuana's method.
* Marijuana: the Author of ORETEKI XOOPS instead of bad drugs
how to change XOOPS_DB_PREFIX:
Don't forget making backup the database and mainfile.php before these operations- save this as pre_change.php.
- put it on the same place of mainfile.php
- chmod 777 mainfile.php
- access XOOPS_URL/pre_change.php
- change it
- delete pre_change.php from the server (important!)
- chmod 444 maifine.php
<?php
include 'mainfile.php';
if ( !is_writable(XOOPS_ROOT_PATH.'/mainfile.php') ) {
exit('mainfile.php is not writable');
}
if ( empty($_POST['submit']) ) {
include XOOPS_ROOT_PATH.'/class/xoopsformloader.php';
$sform = new XoopsThemeForm("Changing XOOPS_DB_PREFIX", "prefixform", xoops_getenv('PHP_SELF'));
$sform->addElement(new XoopsFormText("PREFIX", 'prefix', 50, 80, XOOPS_DB_PREFIX), true);
$sform->addElement(new XoopsFormHidden("oldname", XOOPS_DB_PREFIX));
$sform->addElement(new XoopsFormButton('', 'submit', 'change', 'submit'));
$shtml = $sform->render();
} else {
$shtml = '<h4 style="text-align:left">Changing XOOPS_DB_PREFIX '.XOOPS_DB_NAME.'</h4>';
$shtml.= '<table class="outer" width="100%" cellpadding="4" cellspacing="1">';
$shtml.= '<tr align="center"><th>From</th><th>To</th></tr>';
// changes
$local_query = 'SHOW TABLE STATUS FROM '.XOOPS_DB_NAME;
$result = $xoopsDB->queryF($local_query);
$count = 0;
if ( $xoopsDB->getRowsNum($result) ) {
while( $row = $xoopsDB->fetchArray($result) ){
if ($count % 2 == 0) { $class = 'even'; } else { $class = 'odd'; }
$count++;
$newtable = str_replace(XOOPS_DB_PREFIX.'_',$_POST['prefix'].'_',$row['Name']);
$sql = "RENAME TABLE ".$row['Name']." TO ".$newtable;
$ret = $xoopsDB->queryF($sql);
if ( $ret ) {
$shtml.= '<tr class="'.$class.'"><td>'.$row['Name'].'</td><td>'.$newtable.'</td></tr>';
} else {
$shtml.= '<tr class="'.$class.'"><td>'.$row['Name'].'</td><td>Failed. sorry...</td></tr>';
}
}
}
$shtml.= '</table>';
$shtml.= '<div><a href="'.XOOPS_URL.'/">return to Top</a></div>';
// modifying mainfile.php
$main = file(XOOPS_ROOT_PATH.'/mainfile.php');
foreach ( $main as $val ) {
if ( strpos($val,'XOOPS_DB_PREFIX')!==false ) {
$buf[] = str_replace($_POST['oldname'],$_POST['prefix'],$val);
} else {
$buf[] = $val;
}
}
if (!$fp = fopen(XOOPS_ROOT_PATH.'/mainfile.php', "wb") ) {
echo "writing mainfile.php failed. please edit manually";
} else {
fputs($fp, join("", $buf));
fclose($fp);
}
}
include XOOPS_ROOT_PATH.'/header.php';
echo $shtml;
include XOOPS_ROOT_PATH.'/footer.php';
?>
Looks a little to complex for me, so I will wait until you implement it into your Protector module - there's no urgency for me because I doubt my site will be victim to a hacker anyway - its just a site about dogs!
Thanks for your help GIJOE.
Hi GIJOE,
The above script does not enclose the database name with `` when to showing the status. This will cause the script to fail in some instances (such as where the database name is numeric). I have altered the script so that it does this, plus also added code so that all the SQL commands are dumped to screen using the XoopsLogger.
<?php
include 'mainfile.php';
if ( !is_writable(XOOPS_ROOT_PATH.'/mainfile.php') ) {
exit('mainfile.php is not writable');
}
if ( empty($_POST['submit']) ) {
include XOOPS_ROOT_PATH.'/class/xoopsformloader.php';
$sform = new XoopsThemeForm("Changing XOOPS_DB_PREFIX", "prefixform", xoops_getenv('PHP_SELF'));
$sform->addElement(new XoopsFormText("PREFIX", 'prefix', 50, 80, XOOPS_DB_PREFIX), true);
$sform->addElement(new XoopsFormHidden("oldname", XOOPS_DB_PREFIX));
$sform->addElement(new XoopsFormButton('', 'submit', 'change', 'submit'));
$shtml = $sform->render();
} else {
$shtml = '<h4 style="text-align:left">Changing XOOPS_DB_PREFIX '.XOOPS_DB_NAME.'</h4>';
$shtml.= '<table class="outer" width="100%" cellpadding="4" cellspacing="1">';
$shtml.= '<tr align="center"><th>From</th><th>To</th></tr>';
// changes
$local_query = 'SHOW TABLE STATUS FROM `'.XOOPS_DB_NAME.'`';
$result = $xoopsDB->queryF($local_query);
$count = 0;
if ( $xoopsDB->getRowsNum($result) ) {
while( $row = $xoopsDB->fetchArray($result) ){
if ($count % 2 == 0) { $class = 'even'; } else { $class = 'odd'; }
$count++;
$newtable = str_replace(XOOPS_DB_PREFIX.'_',$_POST['prefix'].'_',$row['Name']);
$sql = "RENAME TABLE ".$row['Name']." TO ".$newtable;
$ret = $xoopsDB->queryF($sql);
if ( $ret ) {
$shtml.= '<tr class="'.$class.'"><td>'.$row['Name'].'</td><td>'.$newtable.'</td></tr>';
} else {
$shtml.= '<tr class="'.$class.'"><td>'.$row['Name'].'</td><td>Failed. sorry...</td></tr>';
}
}
}
$shtml.= '</table>';
$shtml.= '<div><a href="'.XOOPS_URL.'/">return to Top</a></div>';
// modifying mainfile.php
$main = file(XOOPS_ROOT_PATH.'/mainfile.php');
foreach ( $main as $val ) {
if ( strpos($val,'XOOPS_DB_PREFIX')!==false ) {
$buf[] = str_replace($_POST['oldname'],$_POST['prefix'],$val);
} else {
$buf[] = $val;
}
}
if (!$fp = fopen(XOOPS_ROOT_PATH.'/mainfile.php', "wb") ) {
echo "writing mainfile.php failed. please edit manually";
} else {
fputs($fp, join("", $buf));
fclose($fp);
}
}
include XOOPS_ROOT_PATH.'/header.php';
echo $shtml;
include XOOPS_ROOT_PATH.'/footer.php';
echo $GLOBALS['xoopsLogger']->dumpAll();
?>
hi brash.
Thank you for modifying it.
Since the script is not made by me, I don't check it well.
All I did is traslating from Japanese to English.
Anyway, changing XOOPS_DB_PREFIX is quite useful for you.
Almost SQL Injections can be prevented by changing the prefix to randomized word.
No worries GIJOE
. I used the script last night, and everything went well. I now have
ok against all five points under the security advisor page in Protector
.
Now, Protector 2.3 has "DB_PREFIX" manager.
You can copy or delete tables with multi-prefix.
Try it.
i'm very new to PHP and SQL and am having a bit of trouble understanding how to use 'protector' to change the database prefix. what i did was 'copy' the current XOOP database with another name (4 characters). i did not edit 'mainfile.php' yet. that seemed to go well, but when i use phpMyAdmin to verify that the new database was created, it isn't there -- only the old database is there.
what is my little brain missing?
Databases
|
foo ------ (tables in foo)
|
bar ------ (tables in bar)
|
yourdb --- Tables
|
xoops_users
xoops_configs
xoops_...
(newprefix)_users
(newprefix)_configs
(newprefix)_...
The red part was created by copy in prefix manager.
Do you understand?