PEAK XOOPS - XOOPS_TRUST_PATH in englishin japanese

Archive | RSS |
Poster : GIJOE on 2006-05-14 05:21:28 (65386 reads)

in englishin japanese
XOOPS_TRUST_PATH is an important concept not only for D3 but also for the security of XOOPS.

"XOOPS_TRUST_PATH" is a constant defined in mainfile.php.


Note that the directory should be out of DocumentRoot of your httpd.

Generally, php files but "entrance" should be placed out of DocumentRoot.
If php files for included from some other php files is accessable directly, it might be security holes.

The worst example is Agenda-X.
This vulnerability cause a server in down.

Of course, I put .htaccess some folders for denying direct access.
But there are many servers enable to put .htaccess.

Thus I suggest a constant XOOPS_TRUST_PATH specifying the path of file tree out of DocumentRoot.

This is my plan.

- html (inside DocumentRoot)
---- kernel
---- class
---- include
---- modules
-------- forum   (D3 module instantce. you can name it as you like)
---- templates_c (deprecated)
---- cache (deprecated)
---- uploads    (avatar, smiley, ranks etc.)

- xoops_trust_path (out of DocumentRoot)
---- modules
-------- d3forum   (D3 module class)
---- uploads    (attachments etc.)
---- wraps      (wraps module use it)
---- templates_c
---- cache
---- fullcache  (FCH use it)

XOOPS_TRUST_PATH is named by minahito.
I feel this name "TRUST" sounds good for the concept.


Related articles
Printer friendly page Send this story to a friend

Comments list

Username or e-mail:


Remember Me

Lost Password?

Register now!