Loading...
 
Features / Usability

Features / Usability


Security Question - Files in Site Root Visible

posts: 17

Hi Folks,

Thank you for all your efforts on this very flexible and powerful application. I've posted one or two questions before and thank those of you who answered.

As always, I searched the forum for the answer to this question. It seems to be a security issue, though I know there's a solution. I just need a more experienced user to guide me.

When you type in my site root (www.mysite.com) into a browser, you get a full listing of the tiki directory. I'd like to ensure that there's no way for the public to see that directory. I'd also like to have the root list the logon screen. I tried renaming tiki-login.php as index.php, but it didn't work. Also, how do I make sure that the files in the site root cannot be viewed by the public?

Thanks in advance.

posts: 289 United States

I think the easiest thing to do would be to create a new index.php page that redirects to the tiki login page. Curiously, I already had one by default, so have you been deleting files, or is your Tiki not in the root of your site? The code below is borrowed from the index.php file that is found in the whelp directory, but the principle should still hold.

Image
index.php from Whelp DIR
< php

// $Id: /cvsroot/tikiwiki/tiki/whelp/index.php,v 1.5 2007-03-06 19:30:46 sylvieg Exp $

// Copyright (c) 2002-2007, Luis Argerich, Garland Foster, Eduardo Polidor, et. al.
// All Rights Reserved. See copyright.txt for details and a complete list of authors.
// Licensed under the GNU LESSER GENERAL PUBLIC LICENSE. See license.txt for details.

// This redirects to the sites root to prevent directory browsing

header ("location: /index.php");
die;

>

^NOTE: I had to take out the question marks either side of the open and closing angle brackets otherwise the code won't display properly.

Assuming that your Tiki install is not in the root path of your website, you need to make sure that you change the "" to put the correct path of where to find it. If it is, then I don't know what's happened by try putting a single "." (period, full stop) before "/index.php". The index.php file that resides in the root of my Tiki is slightly different:

Image


Perhaps you could try this instead of the other code.


posts: 289 United States

GGGggrr... hit "post" instead of "preview".

The code for the main index.php in the root of your tiki should be:

Image
< php

// $Id: /cvsroot/tikiwiki/tiki/index.php,v 1.9 2007-10-12 07:55:23 nyloth Exp $

// Copyright (c) 2002-2007, Luis Argerich, Garland Foster, Eduardo Polidor, et. al.
// All Rights Reserved. See copyright.txt for details and a complete list of authors.
// Licensed under the GNU LESSER GENERAL PUBLIC LICENSE. See license.txt for details.
require_once ('tiki-setup.php');
if ( ! headers_sent() ) {
	header ('location: '.$prefs['tikiIndex']);
}
die("header already sent");

>

And again, you need to put a "?", question mark after the opening and before the closing angle brackets.

posts: 17

Yes, that's in my root directory. When I go to the root, and click on it, it takes me to whatever page is listed as the home page or group home page. Unfortunately, it doesn't do it automatically when I go to www.mysite.com, as it should. I still get dumped into the root listing showing all the tiki files.

Could it be a php setting?

posts: 289 United States
I don't think it's a PHP setting. I think it's a web server setting, I expect it's only looking for "index.html" or "index.htm" and not "index.php". I'm not sure of your setup so I don't exactly know where you'd need to look to add it.
posts: 289 United States

I looked it up since I'm a curious fellow and if you're using Apache web server the you need to edit your httpd.conf file. In particular you need to edit the line DirectoryIndex so that it contains index.php as in:

Image
DirectoryIndex index.php index.html index.htm

The DirectoryIndex is simply a space delimited list of valid files that can be accessed if you browse to the root.

posts: 289 United States

I bet if you change or add an index.html page that redirects to the index.php page it will work.

Image
[HTML]
[HEAD]
[meta HTTP-EQUIV="REFRESH" content="0; url="http://www.mysite.com/index.php"]
[/HEAD]
[BODY]
Redirecting to main page.  If your browser does not automatically redirect you then [A href="http://www.mysite.com"]click here[/A] to go there manually.
[/BODY]
[/HTML]


I had to change the HTML code to use square brackets instead of angle brackets since HTML code is not allowed.


posts: 17

I'm using a shared server (hostgator). But I also have Apache on my local machine. I checked the httpd.conf file on my local machine and sure enough, there it was. Interestingly though, my primary account does load index.php when web client requests www.myprimary.com. But the one in question is actually a subdomain of an addon domain.

So, the next question I need to resolve is, where do I put the httpd.conf file? I asked hostgator about changing my php settings and they said I could put a php.ini file into any directory I wanted the changes to take effect, or I could put it in the public_html file and the settings would hold for all directories below it.

I'll check with hostgator to find out.

Thanks for your help on this one too. I'll let you know how it turns out.


posts: 17
Well, I talked to the folks at hostgator (btw, here's a plug - I've been with them for a little over a year and very satisfied). It turned out that my .htaccess file only included index.html. I added index.php to the DirectoryIndex line and the issue went away. Hope this helps some other newb who's looking for help.