Re: Password security

[CGR Online <cgronline@jaxcan.org>]

I had a situation just yesterday where someone got into one of the
accounts on my webring and changed it to a porn site. The rest of the ring
was just fine but this one site's info was changed. the site itself was
fine.  I'm thinking this may be related. I do have ability to put an
.htaccess file into my directory.  How would this effect the ring itself?
Would everything work fine unless they tried to view these files or what?
---
Sir Anvil
www.christiangamers.org
On Mon, 9 Oct 2000, Gunnar Hjalmarsson wrote:
> 
> A couple of Ringlink users have called my attention to a security issue
> that affects some Ringlink set-ups.
> 
> The passwords which give access to the different admin menus are stored
> in the following files:
> 
>       admin password  - in the rlconfig.pm file
>       ring passwords  - in respective ring.db file
>       site passwords  - in respective sites.db file
> 
> rlconfig.pm is stored in the 'lib' directory, and ring.db and sites.db
> are stored in different subdirectories under the 'data' directory.
> 
> In my own Ringlink installation, the paths to the 'lib' and 'data'
> directories are as follows:
> 
>       /www/htdocs/gunnar/cgi-bin/ringlink/lib
>       /www/htdocs/gunnar/cgi-bin/ringlink/data
> 
> Both 'lib' and 'data' are located under the 'cgi-bin' directory. Because
> of the way my server is set up, no files in or under the 'cgi-bin'
> directory can be read from the web, which means that the password info
> is protected.
> 
> However, it doesn't work this way on all servers. This means that in
> some cases, the files mentioned above, which include password info, are
> readable from the web.
> 
> There are two reasons for this posting:
> 
> 1) To call every Ringlink user's attention to this security issue
> 
> 2) To ask for suggestions for appropriate steps to protect the
>    password info
> 
> These are two possible ways to prevent the files in question from being
> readable from the web:
> 
> - If you are on an Apache web server, you can put files named
>   .htaccess in the 'lib' and 'data' directories. The .htaccess files
>   are simple text files which in this case should have the following
>   contents:
> 
>       order allow,deny
>       deny from all 
> 
> - If you have access to directories outside the web document root,
>   you could locate the 'lib' and 'data' directories there.
> 
> But there are probably servers (webhosting accounts) where none of these
> solutions are possible to apply. That's why I ask you to post
> suggestions for other possible methods.
> 
> / Gunnar