xoops.org (Mamba) annouces a news.
Security : Protector Security Fix for XOOPS 2.0.x and 2.2.x users
I can say it is a non-sense report then just ignore it.
(Inside XOOPS_TRUST_PATH LFI )
There are many Web applications structured with both public codes (inside DocumentRoot) and private codes (outside of DocumentRoot).
You know such applications have better structures than older applications like XOOPS.
If someone put private codes inside DocumentRoot and accesses private codes via httpd directly, there looks a lot of security problems.
But, none send such a stupid report.
Because all security experts know the meaning of inside/outside DocumentRoot well.
XOOPS_TRUST_PATH must be placed outside of DocumentRoot.
This is an important principal.
This news reveals the members of xoops.org don't know the basic of the security at all.
On the other hand, the developpers of ImpressCMS know the meaning of XOOPS_TRUST_PATH well.
eg) ImpressCMS stores a file for "DB password etc." under XOOPS_TRUST_PATH.
This is my conclusion:
Choose ImpressCMS rather than a CMS named XOOPS from xoops.org.
hi nitinshah12
Quote:
As a user of xoops what I would like to know is since my webhost does not allow creating folder outside rootfolder, what according to you should i do to fix this issue.
Just "create"?
If you mean create/read, it might be the open_basedir restriction.
Then you have to make XOOPS_TRUST_PATH inside your "rootfolder" (DocumentRoot) then put .htaccess "DENY FROM ALL".
You can check whether the .htaccess works fine via Protector's "Security Advisory".
Normally, you will get 403 error.
This means OK.
If your host disallows (not ignores) .htaccess, then you will get 500 error (Internal Server Error).
It is OK also.
As a user of xoops what I would like to know is since my webhost does not allow creating folder outside rootfolder, what according to you should i do to fix this issue.
// Validates $xoopsConfig['language'] in case xoops_lib is located inside webroot
$language = empty($xoopsConfig['language']) ? "english" : preg_replace("/[^a-z0-9_\-]/i", "", $xoopsConfig['language']);
if( ! defined( 'XOOPS_TRUST_PATH' ) ) exit ;
However, some of our users don't have the ability to do it due to their host.