SnippetMaster Support Forums
Return to main website
  		May 16, 2012, 03:05:48 PM
* Show unread posts since last visit.
* Show new replies to your posts.
Welcome, Guest. Please login or register.
Did you miss your activation email?
May 16, 2012, 03:05:48 PM

Login with username, password and session length
Search:  
Advanced search
* Home Help Search Login Register
SnippetMaster Support Forums  |  General  |  Installation Issues  |  Topic: .html files uploaded by snippetmaster are not publicly viewable? « previous next »
Pages: [1] Print
Author Topic: .html files uploaded by snippetmaster are not publicly viewable?  (Read 1110 times)
radloffe

Posts: 5
[-] .html files uploaded by snippetmaster are not publicly viewable?
« on: May 27, 2006, 11:10:27 AM »
Hello Smile,  I have just installed snippetmaster and enabled the PRO license key on a Windows Small Business Server 2003 running IIS 6.x (PHP 5.1.2).  I have managed to get the file permissions to the point where snippetmaster itself is secured from public access, but it allows existing webpages to be edited and saved, and those changes are then viewable by the public.  HOWEVER... when I upload a new .html file into the public web root directory, the file uploads successfully, but is not automatically assigned to the user IUSR,  so it is viewable to internal users who have logged in, but not public anonymous/internet users. 

I have a hunch this is this becuase I have SSL-secured and password-protected the snippetmaster folders and subdirectories under domain user access only, which means that when snippetmaster is running it is not running under the anonymous user privilages of IUSR.  Is there a way I can secure the snippetmaster folders from public view and still give snippetmaster itself the ability to create new publicly-viewable files? The main thing I'm trying to accomplish is to prevent a hacker from guessing and entering a URL to display the password file.  OR... is the ioncube encoding sufficiently strong to prevent that from being an issue (am I over-securing)?

Thanks Smile,
Radloffe
Report to moderator   Logged
admin
Forum Administrator
*
Posts: 3069

SnippetMaster Author


WWW
[-] Re: .html files uploaded by snippetmaster are not publicly viewable?
« Reply #1 on: May 27, 2006, 11:21:26 AM »
Hello,

Your description of the problem sounds correct.  If the "user" that is running PHP is not assigning public read permissions to uploaded files, then you'll need to adjust either the user or php so that uploaded files are given public read permissions.

To address your concerns regarding security:

[1] The user password file is the "users.php" file which is a file inside your database folder.  If you look at your database folder, you'll see how it works.

[2] The passwords are encrypted.

[3] I think your best solution is to create your database folder so that it is "outside" the web root. This means it is not accessible with a browser, and someone would need to actually hack your server, fine and get to the file (in an known location), and then decrypt the passwords.  (In which case, getting to the users.php file is likely the least of your worries.)

[4] If you want to implement additional security around the snippetmaster program files, you can use something like .htaccess authentication or the IIS equivalent, which is built-in authentication system to access any files in specified folders.  (Put an .htaccess authentication requirement into the database folder.)

I have not received any reports of security related issues with snippetmaster, and security is always something I think about when programming and designing the system.

Smile
Report to moderator   Logged
Pages: [1] Print 
SnippetMaster Support Forums  |  General  |  Installation Issues  |  Topic: .html files uploaded by snippetmaster are not publicly viewable? « previous next »
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.16 | SMF © 2011, Simple Machines Valid XHTML 1.0! Valid CSS!