Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Re: How to begin setup installation
sarah,
Txp IS vulnerable to attacks like ALL software. I’ve been using it since its early beta stages and I did see sites which have been hacked successfully. A search in this forum will return such successful (or not) attempts. Such search will also reveal that a lot of the successful attacks was due to 3rd party software installed and Not due txp or its plugins. It will also reveal the serious interest of our developers regarding closing all security vulnerabilities.
Everybody here takes security seriously and I’m sure you do too BUT do you change your passwords regularly? Once a day/week/month/year? In all honesty I doubt that most people do.
Signs of hacked txp: Content not entered by user, extra code in parsed pages.
Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.
Offline
Re: How to begin setup installation
sarah wrote:
But what does “PHPxef” do for you, and how?
PHPXref is a resource for PHP programmers. It allows you to view the source behind Open Source projects like Textpattern.
Also, what are the signs that you site has been hacked?
The site doesn’t look the same, you notice something out of place, you can’t sign on, etc. Getting hacked takes on many variations, from a complete defacement to a nuisance link placed in a footer.
Keep in mind, as Colak points out, you’re as safe as your environment. Any other web app you may install, forums, galleries, calendars, etc., have to go through the same scrutiny as you have placed Textpattern through. On shared hosting accounts, one person getting hacked could bring others down also.
We Love TXP . TXP Themes . TXP Tags . TXP Planet . TXP Make
Offline
Re: How to begin setup installation
sarah wrote:
Els, hcgtv and Ruud, here are the sites referencing Textpatterns security bugs:
http://www.securityfocus.com/bid/27606/discuss
Textpattern is prone to multiple security vulnerabilities, including cross-site scripting issues, an HTML-injection issue, and a denial-of-service issue.
A successful exploit could allow an attacker to deny service to legitimate users, execute arbitrary HTML and script code in the context of the affected site, or execute arbitrary script code in the browser of an unsuspecting user. Other attacks are also possible.
These issues affect Textpattern 4.0.5; other versions may also be vulnerable.
http://secunia.com/advisories/28793/
These vulnerabilities were all fixed in TXP 4.0.6 and renaming the textpattern directory wouldn’t increase security (not even by obscuring) if you were using TXP 4.0.5.
The only vulnerability that Secunia lists as not fixed is not a bug but a feature. You can use <script> tags in the body of an article. Anonymous visitors cannot publish articles.
Offline
#28 2009-08-14 18:09:58
- sarah
- Member
- Registered: 2009-08-13
- Posts: 46
Re: How to begin setup installation
colak wrote:
sarah, Txp IS vulnerable to attacks like ALL software. I’ve been using it since its early beta stages and I did see sites which have been hacked successfully. A search in this forum will return such successful (or not) attempts. Such search will also reveal that a lot of the successful attacks was due to 3rd party software installed and Not due txp or its plugins. It will also reveal the serious interest of our developers regarding closing all security vulnerabilities. Everybody here takes security seriously and I’m sure you do too BUT do you change your passwords regularly? Once a day/week/month/year? In all honesty I doubt that most people do. Signs of hacked txp: Content not entered by user, extra code in parsed pages.
Thanks for the info Colak.
Yes, my host provider advises that users change their passwords at least every 6 months, so that does increase site security.
Offline
#29 2009-08-14 18:18:02
- sarah
- Member
- Registered: 2009-08-13
- Posts: 46
Re: How to begin setup installation
HCGTV, in regards to the very helpful .htaccess code you’ve supplied for me on the previous page, one more question please:
During the installation of textpattern, once your username etc has been inputted, code is supplied for the index.php document.
Is there any way to make this even more secure?
Also, in regards to the .htaccess code you’ve supplied, may I ask where abouts exactly do I put this file?
When you install Textpattern, the folder setup you get is: textpattern 4.0.8 > textpattern>etc
Where abouts do I put the file, and do I need to delete the folder named “textpattern 4.0.8?
Thanks!
Last edited by sarah (2009-08-14 18:22:10)
Offline
Re: How to begin setup installation
sarah wrote:
Also, in regards to the .htaccess code you’ve supplied, may I ask where abouts exactly do I put this file?
The layout of a Textpattern install is:
/files
/images
/rpc
/textpattern
The .htaccess would go into /textpattern.
We Love TXP . TXP Themes . TXP Tags . TXP Planet . TXP Make
Offline
Re: How to begin setup installation
sarah wrote:
During the installation of textpattern, once your username etc has been inputted, code is supplied for the index.php document.
This goes in a config.php file not index.php.
Piwik Dashboard, Google Analytics Dashboard, Minibar, Article Image Colorpicker, Admin Datepicker, Admin Google Map, Admin Colorpicker
Offline
#32 2009-08-14 20:36:00
- sarah
- Member
- Registered: 2009-08-13
- Posts: 46
Re: How to begin setup installation
hcgtv, thank you for the answer!
Offline
#33 2009-08-14 20:37:27
- sarah
- Member
- Registered: 2009-08-13
- Posts: 46
Re: How to begin setup installation
Mattd, you’re correct. I mixed up the config php file with the index php file- my bad!
Offline