1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hardening the xF installation

Discussion in 'XenForo Questions and Support' started by psTubble27, Feb 10, 2012.

  1. psTubble27

    psTubble27 Well-Known Member

    Is there a thread that deals with the question of hardening your xF installation?

    Specifically I mean, whether we should do anything regarding:
    -the /install directory
    -the /data and /internal_data directories
    -correctly using robots.txt (if at all)
    -correctly using .htaccess (if at all)
    -potential ways to harden admin.php
  2. Brogan

    Brogan XenForo Moderator Staff Member

  3. digitalpoint

    digitalpoint Well-Known Member

    Another thing that wouldn't be a bad idea is to disallow PHP from executing from within your data folder. In theory PHP files should never get in there, but it's just something my paranoid self does... if the web server is somehow exploited, it has permissions to write files to that directory... Would really not like to have someone being able to inject PHP files to my web server that they could then turn around and use/run.

    Again... totally a paranoia thing, but better to disallow PHP running from there before someone finds an exploit for your web server, rather than wish you did after.
    wcbryant, Corey and Rigel Kentaurus like this.
  4. Rigel Kentaurus

    Rigel Kentaurus Well-Known Member

    I don't think it's paranoia, it's common sense. If you can have that directory off the webserver, that's the best way to go.

    That could not be the default because of all the people running on shared hosts that pretty much only have the webserver directory, but if you have the whole hd at your disposition doing that is a really good idea. I moved mine just after /home, not reachable by the webserver at all

    Then just change it in config.php, config['internalDataPath']
  5. Rigel Kentaurus

    Rigel Kentaurus Well-Known Member

    For people that want maximum security, some recommendations are
    • .htaccess password protect the install directory, admin.php file, internal_data directory
    • Password protect the library directory (nothing there gets called directly, always through the FrontController)
    • Delete the /install directory, it is not needed for anything, and on the next upgrade you will have a new one anyway
    • Move internal_data out of the web server directory

    Why do all of that?

    There might be a bug in one of the XenForo controllers, models or whatever, you don't want those files to be called directly
    There might be a bug with the upload process, which enables users to upload php files to the internal_data directory, and then execute them
    There might be a bug that gives the user access to the install script, and they could wipe your forum installation (has happened to me before)

    Assuming the XenForo developers take care of everything (they are actually pretty good, and the package is rock solid), they are still humans, dealing with software, that is prone to bugs. And even assuming that XenForo were 100% perfect, you still have any addon you installed to worry about.
    wcbryant and psTubble27 like this.
  6. psTubble27

    psTubble27 Well-Known Member

  7. Ghan_04

    Ghan_04 Active Member

    I doubt that there is anything Xenforo could do to stop this as a piece of software. There aren't a whole lot of details here, but it seems that if you can upload this file to the server and get it to execute as a PHP file, you could be in trouble. I'd be interested to see what this image can do to a server that is using suexec and suhosin.
  8. digitalpoint

    digitalpoint Well-Known Member

Share This Page