Protector Security Problem?
Date 2008-11-29 04:45:23 | Category: XOOPS
|
 
xoops.org (Mamba) annouces a news.
Security : Protector Security Fix for XOOPS 2.0.x and 2.2.x users
I can say it is a non-sense report then just ignore it.
(Inside XOOPS_TRUST_PATH LFI  )
There are many Web applications structured with both public codes (inside DocumentRoot) and private codes (outside of DocumentRoot).
You know such applications have better structures than older applications like XOOPS.
If someone put private codes inside DocumentRoot and accesses private codes via httpd directly, there looks a lot of security problems.
But, none send such a stupid report.
Because all security experts know the meaning of inside/outside DocumentRoot well.
XOOPS_TRUST_PATH must be placed outside of DocumentRoot.
This is an important principal.
This news reveals the members of xoops.org don't know the basic of the security at all. 
On the other hand, the developpers of ImpressCMS know the meaning of XOOPS_TRUST_PATH well. 
eg) ImpressCMS stores a file for "DB password etc." under XOOPS_TRUST_PATH.
This is my conclusion:
Choose ImpressCMS rather than a CMS named XOOPS from xoops.org.
|
|