[security] increase security features

Started by enddo, May 30, 2013, 03:59:25 AM

Print
Go Down Pages1
User actions

enddo

May 30, 2013, 03:59:25 AM
I think after that security issue;
we should talk about new security features, ideas.

Hostbill has some security features:
http://wiki.hostbillapp.com/index.php?title=Additional_security_steps
You can move some writable directories to other locations.
Also can change admin folder name.

what about changing other directories name or destination?
Like ../include or ../hbf
does it make sense?

Lawrence

#1
May 30, 2013, 06:33:39 AM
I actually love that concept... But to update all those modules / php files would be murder on Kris, and I don't think he'll do it. It would take a few days of consistent labor to get everything linked up properly, updating all those lines of code for the new paths, etc,.

I wish it were that easy, but it's not likely anytime soon. More security features is better though.
Skype: sociallarry | AIM: [email]larry.aim@aim.com[/email] | Forum Rules & Information

These forums are hosted by me with no intentions to ever monetize them. These forums are here solely for the benfit of the HostBill community.

Patrick

#2
May 30, 2013, 04:22:50 PM Last Edit: May 30, 2013, 05:23:27 PM by patrick
Quote from: Lawrence on May 30, 2013, 06:33:39 AM
I actually love that concept... But to update all those modules / php files would be murder on Kris, and I don't think he'll do it. It would take a few days of consistent labor to get everything linked up properly, updating all those lines of code for the new paths, etc,.

I wish it were that easy, but it's not likely anytime soon. More security features is better though.

I'd be surprised if they are using absolute paths to the modules.  Odds are they have a variable set internally, i'd guess they have it by default to something similar to {includes_dir}/ and they have the global variable set elsewhere.  I'd be very surprised if they used absolute paths to anything.  That said, directories such as includes has to be called by the public for example when paying the POST script would be "http://url/hostbill/includes/components/payments/stripe.php?do=" <----- that's only a rough example. 

Renaming it is possible if they allowed it .

As long as you place writable directories such as "templates_c, attachments & downloads" are all outside public access (these are all items called internally) you'll be fine on that front, but since index.php is the core and calls most functions any existing exploits could be called upon just front the core files.  Following the advice of the link you showed, IP restricting the admin directory by .htaccess or by the httpd.conf (i do this method) and the only IP that can be used is a custom internal IP set by openvpn.

Edit:
Originally typed this on an ipad and man how things come out are frustrating.  Made some changes
Patrick - Forum Rules
Insanity: doing the same thing over and over again and expecting different results. - Albert Einstein

enddo

#3
May 31, 2013, 05:39:07 AM
What about API connected client side.

For instance Order Pages and Client side would be just works with API connections.

I really would pay for that.
Print
Go Up Pages1
User actions