When it comes to security, it is always better to ask as all software has security issues :)
I do agree with you, there should be a stepped plan document for securing eZ. This could go from Low, Medium and High levels of security based on your needs, much likke other software.
I would like to see it contain differing types of issues, such as server side, database and client issues and how to resolve them and be accessible to all skill levels.
eZ is a good tool, and I hope your planned implementation goes ahead, and I wish you luck with it.
Tony
Tony Wood : twitter.com/tonywood
Vision with Technology
Experts in eZ Publish consulting & development
We've fixed the exploit for #7348, the search exploit was already fixed and the url exploit is now fixed too.
The two other exploits are based on site setups and cannot be automatically fixed by eZ publish. However we will see if we can make the default setup more secure, ie a .htaccess file (if it can be done) and perhaps renamed .ini files. The setup and documentation will also be updated.
A new release with these fixed will come "pretty soon", also we will release some patches for this.
Thanks Jan. It's nice to know that these problems have been addressed.
But, as already mentioned it'd be great to have a documentation easily available :
a) showing bug/vulnerability fixes b) securing the default install more [which you have already addressed above]
Keep the good work up. eZ Systems really have brilliant and unique Open Source product here, and I [and many others] really appreciate it and wish to see it grow more.
May I suggest a little Apache configuration addition? The php scripts have direct access to the settings files, so there is no need to allow web browser access.
<Directory /var/www/html/ezpublish-3.0-1/settings/>
Order deny,allow
Deny from all
Options None
AllowOverride None </Directory>
I'll drop this in the previously mentioned security discussion.
On virtual hosted sites I believe that the rewrite engine will grab everthing anyway. But its belts and braces, so it protects you should you mess up the config in some way.
Tony Wood : twitter.com/tonywood
Vision with Technology
Experts in eZ Publish consulting & development
Actually, why not in future releases put the settings directory outside of web root? I remember that with some other scripts (e.g. Phorum), there is one basic setting in webroot which points to the directory where the actual configuration can be found.
Karsten
You must be logged in to post messages in this topic!