New version Security Advisor

Post here for help with installing or upgrading mojoPortal pre-compiled release packages. When posting in this forum, please provide all relevant details. You may also want to review the installation or upgrading documentation.

If you have questions about using the source code or working with mojoPortal in Visual Studio, please post in the Developer forum.

Post here for help with installation of mojoPortal pre-compiled release packages

When posting in this forum, please try to provide as many relevant details as possible. Particularly the following:

  • What operating system were you running when the bug appeared?
  • What database platform is your site using?
  • What version of mojoPortal are you running?
  • What version of .NET do you use?
  • What steps are necessary to reproduce the issue? Compare expected results vs actual results.

You may also want to review the installation or upgrading documentation.

If you have questions about using the source code or working with mojoPortal in Visual Studio, please post in the Developer forum.

This thread is closed to new posts. You must sign in to post in the forums.
9/20/2010 5:44:47 PM
cagliostro
Gravatar
Total Posts 125
View Posts

New version Security Advisor

Hello.

Running the new update, i get a warning that ALL my folders are RW and need not to be.

Checking the security with the file manager, i don't see that. I can't be 100% about it. I'm doing various tests right now, but maybe that function is not working well ?

Anybody else with this problem ?

thanks

9/20/2010 5:51:40 PM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: New version Security Advisor

Hi,

Believe me if it says they are writable they are writable. If you look in the root you will probably see a file named SecurityAdvisor_someguid.txt, it deletes all the other files after it creates them but it leaves one if the root is writable, but the test writes a file to each folder and it lists the folders where it succeeded in writing a file.

See http://www.mojoportal.com/securing-the-file-system.aspx for information how to make it not writable. 

Best,

Joe

9/20/2010 5:54:53 PM
cagliostro
Gravatar
Total Posts 125
View Posts

Re: New version Security Advisor

Joe,

I do all my checks from DotNet Panel. This is what i see and this is how i added the two folders RW permissions that Mojo Wants (or is it 3 folders, i don't remember).

I have NO other way to check this.

I do have some ASP code from the past that checks that. I will use that, if it works. And i will follow up here.

9/20/2010 6:01:29 PM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: New version Security Advisor

Did you see the file in the root after running the test or not?

If you see a file securityadvisortest_someguid.txt in the root then it means the root folder is writable, therefor you should believe what it says about the other folders.

Hope it helps,

Joe

9/20/2010 6:03:21 PM
cagliostro
Gravatar
Total Posts 125
View Posts

Re: New version Security Advisor

Joe,

I'm afraid the files are there in my root. 3 of them, i guess 1 checked 3 times.

tanks

9/20/2010 6:10:52 PM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: New version Security Advisor

It isn't the worst thing in the world if they are writable but it would be more secure if they were not. I suspect many people in shared hosting won't have the granular control to solve it. That is why I list it as just a warning with a yellow indicator instead of red. mojoPortal is designed to control where files can be written and it "should" generally be able to enforce it but, if the file system permissions can restrict it, that is much better because then you are protected from harm with an additional layer of protection even if a hacker can manage to bypass application logic somehow.

Best,

Joe

9/20/2010 6:15:15 PM
cagliostro
Gravatar
Total Posts 125
View Posts

Re: New version Security Advisor

Yes well, Dot Net Panel is the WORST JUNK PANEL i have seen in my life as a webmaster. Not sure if my hoster did configure wrong my reseller package permissions, BUT dotnet panel should reflect the correct permissions.

That way i was sleeping at night knowing that only the needed folders/files were writable.

Thank god i found that due to your applications. many thanks.

 

Costas

9/20/2010 6:31:21 PM
Jamie E
Gravatar
Total Posts 1203
View Posts
Proud member of the mojoPortal team

Help support mojoPortal!
Add-on modules

Re: New version Security Advisor

Hey everyone, just to chime in, I ran the writable folders check too and was surprised that some of our folders were coming up writable as well. Fortunately we are using our own internal servers, so it was a simple matter of removing some of the extra permissions that weren't needed, and now all is well.

Thanks a lot for providing this tool, Joe! Now we'll just need to work on creating that custom machine key and getting those hashed passwords back in. I'm sure glad these security issues came up before we went live and had a lot of users set up!

Jamie

9/20/2010 6:34:54 PM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: New version Security Advisor

Hi Jamie,

Actually I've just been told that hashed passwords are not affected by machine key change by someone who tried it. I just updated the document about it.

http://www.mojoportal.com/use-a-custom-machine-key.aspx

Best,

Joe

9/20/2010 6:54:23 PM
Jamie E
Gravatar
Total Posts 1203
View Posts
Proud member of the mojoPortal team

Help support mojoPortal!
Add-on modules

Re: New version Security Advisor

Cool! Thanks for the heads-up, Joe. That'll make it a much easier process to change that machine key.

9/21/2010 1:09:05 PM
Joe Davis
Gravatar
Total Posts 2239
View Posts

Re: New version Security Advisor

Hi Costas,

I use DotNetPanel (WebsitePanel now, as it has been renamed and released as OpenSource) and I really like the control it gives me and my customers. DNP shows you the permissions you have the ability to modify, nothing more, nothing less. If it were to show you all the user accounts or groups on your hosting space directory, you would be contacting your hosting company with concern as to what the accounts were. For instance, your host may require the use a specific backup user to perform backups of your hosting space. That being said, your host has configured their server incorrectly and there is likely a group on the ACL for the root of all of the HostingSpaces with write permissions. I have seen with other DNP installations, the Users group is on the c:\HostingSpaces directory with permission to write.

It will not go over very well, but, you need to contact your host and explain that you are able to write to directories within your site that you haven't explicitly granted write permissions on.

If they don't listen to you, change hosts.

HTH,
Joe D.

You must sign in to post in the forums. This thread is closed to new posts.