· How can I fix the possible security issue with Ringlink passwords?
The passwords which give access to the different admin menus are stored in the following files:
admin password - in the rlconfig.pm file
ring passwords - in respective ring.db file
site passwords - in respective sites.db file
rlconfig.pm is stored in the 'lib' directory, and ring.db and sites.db are stored in different subdirectories under the 'data' directory.
These directories might be in your cgi-bin, and on some servers it means that they are not readable from the web. . .but this may not be the case for you.
If needed, these are two possible ways to prevent the files in question from being readable from the web:
1) If you are on an Apache web server, you can put files named .htaccess in the 'lib' and 'data' directories.
The .htaccess files are simple text files, and the simpliest - and safest - command to put in the .htaccess file is the following single line:
deny from all
This command should prevent all files in both the same directory and possible subdirectories to be readable from the web. However, there may be servers where this single line does not work. In that case you can try:
<Limit GET>
deny from all
</Limit>
Or you might have put files in your ring directories which you want to be readable from the web. In that case, in order to restrict the access control to certain files, you can make use of the <Files> directive. For instance, to prevent files with the file extension .db from being readable from the web, you can put the following .htaccess file in the 'data' directory:
<Files *.db>
deny from all
</Files>
Click here for a sample of what these files looks like
Create the file and upload to the proper directory using ASCII mode.
2) If you have access to directories outside the web document root, you could locate the 'lib' and 'data' directories there. This solution is not about file permissions at all, but it is about letting the web document root be a subdirectory to the root of the webhosting account.
Gunnar has tested this and provides the following:
The path to the root of "my" space on the server is:
/usr/.../htdocs/gunnar
and I'm free to create any subdirectories under that directory. But the URL to my homepage - we can call it http://www.domain.com/gunnar/ - refers to
/usr/.../htdocs/gunnar/web
Accordingly, any document I want to be readable from the web has to be saved in /usr/.../htdocs/gunnar/web or in a subdirectory to that directory.
As regards Ringlink, I uploaded the *.pl files in
/usr/.../htdocs/gunnar/web/cgi-bin/ringlink
while the 'lib' and 'data' directories were located as follows:
/usr/.../htdocs/gunnar/ringlink/lib
/data
This means that the files in these directories are not accessible from the web, not because of file permission settings or .htaccess arrangements, but for the simple reason that no URL refers to them. Nevertheless, the files can be read by the scripts (the *.pl files).
A variant to this solution, if you can't make your provider refer the URL to a subdirectory, is to locate the 'lib' and 'data' directories in a directory with an "unlikely" name, like:
/usr/.../htdocs/gunnar/web/cXPrt59/lib
/data
and make sure that /usr/.../htdocs/gunnar/web includes an index.html file in order to prevent people from listing the files.
Note that the above locations of the 'lib' directory presuppose that the second line of all the *.pl files includes the full path to the 'lib' directory.
As far as I understand, these ways of preventing people from viewing the information in rlconfig.pm, ring.db and sites.db should work as good on NT servers as on Unix/Linux servers.
Back to top
|
· 
