View ProjeQtOr On SourceForge.net
ProjeQtOr - Project Management Tool
Support us on Capterra
OIN - Open Invention Network
ProjeQtOr free project management software - Security advises - ProjeQtOr
 
 

Security advises

More
27 May 2015 12:04 #1 by hippolyte78
Security advises was created by hippolyte78
Hello,
I just began using Projeqtor and I do not well understand this security advise:

Security advise :
- Setup attachments directory and documents directory out of web access (outside document_root of web server)
This will prevent hachers from uploading php file and executing it on your server ...

Does it mean that I must place some folders or files out of the file httpdocs on my web server ? In this case, what are these folders/files ?
Could someone help me? I am a bit lost.
Thank you.

Please Log in or Create an account to join the conversation.

More
30 May 2015 23:00 #2 by babynus
Replied by babynus on topic Security advises

Does it mean that I must place some folders or files out of the file httpdocs on my web server ?

Yes :woohoo:

In this case, what are these folders/files ?

Wherever you want :dry:
Just take care that php user have write access to these forlders.
Babynus
Administrator of ProjeQtOr web site

Please Log in or Create an account to join the conversation.

More
02 Jun 2015 11:38 #3 by hippolyte78
Replied by hippolyte78 on topic Security advises
Hello Babynus,
Thank you for your answer.
Excuse my naivety, I just want to be certain that I understand these security issues. For the moment on my server, all files are in a folder named Projeqtor placed in httpdocs. All works well, but if I well understood, this is not among best practices and could also be dangerous...
In the folder named "files" I can see another folder named "attach". Is it this folder that I have to put outside the folder httpdocs (I mean on my server at the same level of httpdocs)?
The security advise mentions also another directory "documents", but I cannot see it in my files. Could you tell me where I can find it and whether I can put it also at the same level than httpdocs?
Thank you for your answers.

Please Log in or Create an account to join the conversation.

More
02 Jun 2015 12:07 #4 by babynus
Replied by babynus on topic Security advises
Let me explain security leak if you keep your files in htdocs folder :
  • Hacker can go and navigate to http://yourserver/projeqtor/files/attach/tryandguessfilename : if hacker tries many values for "tryandguessfilename", he will possibly retrieve an attached file from your server. If this file is confidential, you may be in great trouble.
    This is a real issue as hacker do not have to be connected to try all the urls, and as ProjeQtOr is open source, the hacker can examine source code to guess which names are given (formatting rule).
  • If hacker (or some user with bad behavior) connects to your ProjeQtOr instance, he will try and upload some .php file, and then call it from direct url to do whatever he wants on your server (for instance delete all files, or retrieve server password file).
    Fortunately, ProjeQtOr renames php files to avoid this leak, but not all executable files may be protected (recently, a leaked has been fixed for files named .php4 and .php5 that can be interpreted as php files)
If files are out of htdocs folder, they cannot be reached from direct url.

So now to your questions :

Is it this folder that I have to put outside the folder httpdocs (I mean on my server at the same level of httpdocs)

Yes, but not only.
You should put out of web reach :
  • files/attach (where attached files are stores)
  • /files/config (you must more your parameter.php file out of hacker reach, because it contains your infortation to connect to database)
    Notice that you'll then have to change /tool/parametersLocation.php file
  • /files/cron (technical flder for automatic executions)
  • /files/documents (where document files are stored)
  • /files/logs (where log files are stored)
    A hacker would love to read you log files as they may contain very interesting information on your server
In fact you should only leave :
  • /files/reports (where images for reports are stores, and report html pages must have access to them)
  • thumbs (where thumb images are stored)
    This folder will be more used in V5 than it is in V4 ;)

The security advise mentions also another directory "documents", but I cannot see it in my files

This folder will be created it you store Documnts.
Or maybe you moved it somewhere else on first config.
Check location as described in Global Parameter screen.

I hope that was clear, and maybe these security hints may help others.
Babynus
Administrator of ProjeQtOr web site

Please Log in or Create an account to join the conversation.

More
02 Jun 2015 12:34 #5 by hippolyte78
Replied by hippolyte78 on topic Security advises
Thank you a lot Babynus.
It is limpid :)

Please Log in or Create an account to join the conversation.

More
03 Jun 2015 08:36 #6 by hippolyte78
Replied by hippolyte78 on topic Security advises
Hello Babynus,
Just a last question about my ticket. I have made what you told above, all worked well and I was able to connect but I had first an error message which told me that the logs file was invalid and that I have to check the file parameter. As the path was correct, I have changed the loglevel (I put 1 instead of 2). Now the error message disappeared, but I want to be sure that this change will not have some bad consequences I am not aware.
Thank you for your answer.

Please Log in or Create an account to join the conversation.

Moderators: babynusprotion
Time to create page: 0.045 seconds

Cookies settings

×

Functional Cookies

Ce site utilise des cookies pour assurer son bon fonctionnement et ne peuvent pas être désactivés de nos systèmes. Nous ne les utilisons pas à des fins publicitaires. Si ces cookies sont bloqués, certaines parties du site ne pourront pas fonctionner.

Session

Please login to see yours activities!

Other cookies

Ce site web utilise un certain nombre de cookies pour gérer, par exemple, les sessions utilisateurs.

Login Form