Any way to solve this?

TGPEG

eoCMS Designer

Offline

Posts: 1290

Any way to solve this?
Posted on: 6th May, 2009, 04:22:38 AM

SQLite Problem. By putting the db in the root folder I can easily access all the posts/pms/users on the site, ie:
http://ecms.110mb.com/eocms_7drs

I'm assuming that in some cases where sites are using SQLite this could be a security risk. Is there any way to stop people viewing it? I know the '7drs' is randomly generated but I'm sure that given enough time someone could work that out...

James also experiences this problem with his site.

Last Edit: 6th May, 2009, 04:32:36 AM by TGPEG

Seen a bug? Report it!

confuser

eoCMS Developer

Offline

Posts: 1528

Re: Any way to solve this?
Posted on: 6th May, 2009, 09:05:44 AM

Thats one problem that i cant fix. If you are on a host like 110mb.com, they offer a folder called unreadable which means only your scripts can access it. Only other way would be to use a .htaccess file in a folder and put the database in there, that way only the script can access it. This is not really a problem a such, i mean the name is completely random when the database is created so you are only at risk if you give the name away Wink

but eoCMS cant do anything about it img afraid

Please do not PM me requesting support or anything, use the forums, thats what they are here for

TGPEG eoCMS Designer Offline Posts: 1290	Re: Any way to solve this? Posted on: 6th May, 2009, 09:13:54 AM Right... so you couldn't have eoCMS put the db in a folder with .htaccess file (assuming the installer checks to see if the server has .htaccess enabled first)? Seen a bug? Report it!

confuser

eoCMS Developer

Offline

Posts: 1528

Re: Any way to solve this?
Posted on: 6th May, 2009, 09:19:23 AM

It could but I dont think you can check if .htaccess is enabled using PHP, or at least i cant think of a way. It can check to see if .htaccess files are allowed on the server but thats about it i think.

Moving to another board as this is not a bug

Last Edit: 6th May, 2009, 09:32:21 AM by confuser

Please do not PM me requesting support or anything, use the forums, thats what they are here for

TGPEG eoCMS Designer Offline Posts: 1290	Re: Any way to solve this? Posted on: 6th May, 2009, 04:24:14 PM Um... any reason why this is in the admin board? Is it just because it exposes a weakness? If you're worried about people seeing the contents of my site, I'm not bothered (hence the reason I chose it as an example) Seen a bug? Report it!

paulwratt

eoCMS Developer

Offline

Posts: 909

Re: Any way to solve this?
Posted on: 6th May, 2009, 04:59:33 PM

this is a per site issue (not cos its random) because each site security is different

I am pretty sure that you can include a path when give the db name (for SQLite), but obviously this needs to be explained better. This is another "good topic" for a Trouble Shooting doc, or a Pre-install doc, that includes other trouble shooting, and security related tips..

Last Edit: 7th May, 2009, 06:36:37 AM by paulwratt

eoCMS Dev Blog

Brad Member Offline Posts: 144	Re: Any way to solve this? Posted on: 10th May, 2009, 02:49:37 AM Its looking like there is one option... Change the database dir every 10 minutes to a MD5 hash of a random word. I dont know. Just an idea.

paulwratt eoCMS Developer Offline Posts: 909	Re: Any way to solve this? Posted on: 10th May, 2009, 01:57:23 PM or, the name chosen, md5 it before creating the db name eoCMS Dev Blog

Jump to:

Page 1 Of 1

Username:
Password:
Remember me??

[ Register ][ Forgot Password? ]