One of my concerns is this: Are the attacks secondary to upgrade to 2.2 or is it merely coincidental that it happened now and is just more an issue of server config?

I suspect that other content publication systems have similar server config risks as well, right? So, this is maybe just something that comes with the shared hosting approach?

Thanks, Mith, for your interest and response. Thanks for the unseen *others* who have taken part in this discussion, as well ...

@ skalpa

Quote:

I can switch providers easier than I can switch cms can you make some suggestions. It seems that permissions set to 777 are the real problems. So would switching providers be a solution?

The real solution will be to get XOOPS to run without any folders or files set to 777 wouldn't it ?

Quote:

See mithrandirs post. This is not possible and have any usability of your site. The host are in charge of directory permisions on their servers and it is up to them to secure them. Some are slow to do so do to compatibility with different web applications. Which is why on most shared servers register_globals as well as f_open are enabled. Disabling would cause problems for some applications and the host has to keep the group on the server happy, even if it means a less secure environment.

It seems to me that you are asking the world to change for XOOPS wouldn't be more correct to make XOOPS fit the world?
It's time to rethink templates_c.

Every CMS or web application has a folder that caches information to reduce queries and server load, as well as download times for the site visitor. Each of these applications require writing by the server to accomplish this. To accomplish this task the folder has to have permissions so that the user / which the server uses to write files has access for writing.

Template_c is not unique to XOOPS. Do a Google search for template_c you will find lots that use it and all are required to be written to by the server, so they are all chmod 777.

I am not saying there is not a better way, there is. A VPS (Virtual Private Server) or a dedicated server will fix these troubles. And the price of VPS hosting is getting pretty close to shared hosting prices now.

How often and when is templates_c written to?

Whenever a change on your site warrents it. Of course this depends on many things, as the type of changes, cache of the changes. Right now I have 130 files in template_c ranging in age from this past Tuesday to just a little less than an hour ago.

You sound like a politican. I am looking for specific information.

wardick: it's not that XOOPS doesn't fit the world, but that part of the world is taking advantage of that world's (and not just XOOPS's) loopholes.

Not having any data written to any phisical file is the only solution that fits your definition of the world, and that is the exact description of a static set of HTML pages. XOOPS is a dynamic content management system, so the concept alone means that data needs to be stored and retieved from files (getting them from the database is sooo much slower -it's why we have caching). And for that, the folder needs to be writable by the system. And that last part is where the XOOPS involvement ends.

Now, for a folder to be writable by a php script running on the server, the folder needs to be owned by the user that is running the script. As Mithy explained very clearly, the one running the script isn't always the same one who uploaded (and therefore owns) it. This is simply a fact of server and account management, and has nothing whatsoever to do with XOOPS. Some (most?) hosts have shared user accounts on a server, but is running a single Apache webserver. That saves a lot of system resources, but means that the apache server runs as a different user then the owner of the scripts. In most cases it's 'nobody'. However, in order for scripts to be able to write to a folder, the user 'nobody' needs to be able to write, and that means world writable (as nobody does not own the script files).

So, it's more an issue of the world being imperfect and flawed, and every script that writes somehting to a file has this same problem. And not an issue of XOOPS not fitting into the world, because then you'd put a ban on all php and asp and cmf and dynamic scripting languages that are interpreted.

Herko

B.S.