Hardening the xF installation

P

psTubble27

Well-known member
Is there a thread that deals with the question of hardening your xF installation?

Specifically I mean, whether we should do anything regarding:
-the /install directory
-the /data and /internal_data directories
-correctly using robots.txt (if at all)
-correctly using .htaccess (if at all)
-potential ways to harden admin.php
-etc.
 
Sort by date Sort by votes
Another thing that wouldn't be a bad idea is to disallow PHP from executing from within your data folder. In theory PHP files should never get in there, but it's just something my paranoid self does... if the web server is somehow exploited, it has permissions to write files to that directory... Would really not like to have someone being able to inject PHP files to my web server that they could then turn around and use/run.

Again... totally a paranoia thing, but better to disallow PHP running from there before someone finds an exploit for your web server, rather than wish you did after.
 
Upvote 0 Downvote
digitalpoint said:
Another thing that wouldn't be a bad idea is to disallow PHP from executing from within your data folder. In theory PHP files should never get in there, but it's just something my paranoid self does... if the web server is somehow exploited, it has permissions to write files to that directory... Would really not like to have someone being able to inject PHP files to my web server that they could then turn around and use/run.

Again... totally a paranoia thing, but better to disallow PHP running from there before someone finds an exploit for your web server, rather than wish you did after.
Click to expand...

I don't think it's paranoia, it's common sense. If you can have that directory off the webserver, that's the best way to go.

That could not be the default because of all the people running on shared hosts that pretty much only have the webserver directory, but if you have the whole hd at your disposition doing that is a really good idea. I moved mine just after /home, not reachable by the webserver at all

Then just change it in config.php, config['internalDataPath']
 
Upvote 0 Downvote
For people that want maximum security, some recommendations are
  • .htaccess password protect the install directory, admin.php file, internal_data directory
  • Password protect the library directory (nothing there gets called directly, always through the FrontController)
  • Delete the /install directory, it is not needed for anything, and on the next upgrade you will have a new one anyway
Optional
  • Move internal_data out of the web server directory

Why do all of that?

There might be a bug in one of the XenForo controllers, models or whatever, you don't want those files to be called directly
There might be a bug with the upload process, which enables users to upload php files to the internal_data directory, and then execute them
There might be a bug that gives the user access to the install script, and they could wipe your forum installation (has happened to me before)

Assuming the XenForo developers take care of everything (they are actually pretty good, and the package is rock solid), they are still humans, dealing with software, that is prone to bugs. And even assuming that XenForo were 100% perfect, you still have any addon you installed to worry about.
 
Upvote 0 Downvote
I doubt that there is anything Xenforo could do to stop this as a piece of software. There aren't a whole lot of details here, but it seems that if you can upload this file to the server and get it to execute as a PHP file, you could be in trouble. I'd be interested to see what this image can do to a server that is using suexec and suhosin.
 
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

C
XF 2.2 Installation of custom addon
Replies
3
Views
357
Jeremy P
Jeremy P
Miri
  • Solved
XF 2.2 I can't get the XF installation to start
Replies
17
Views
1K
Miri
Miri
Ferry
  • Solved
XF 2.2 Not importing attachments when migrating from XF to XF
Replies
6
Views
472
Ferry
Ferry
S
  • Question Question
XF 2.3 2.3 test install issues
Replies
5
Views
236
Jeremy P
Jeremy P
Dashmiel
  • Question Question
MG 2.2 Requested content cannot be loaded
Replies
4
Views
369
Jeremy P
Jeremy P
Top Bottom