Welcome, Guest
Username: Password: Remember me
  • Page:
  • 1
  • 2

TOPIC: Instructions on "Installation security hints" do not seem to apply to version 2!

Re: Instructions on "Installation security hints" do not seem to apply to version 2! 1 year 6 months ago #92060

  • Sweden
  • Sweden's Avatar
  • OFFLINE
  • Senior Lime
  • Posts: 64
  • Thank you received: 1
  • Karma: 2
Thanks for your suggestion Denis - isn't your command similar to using echo "test"? I have already done that and I do get the "test" message - meaning that my configreal.php file is being found by config.php.

I just tried to see if I could replicate this issue on my local version of LimeSurvey and it is the same here - I get a blank screen.

I found this thread and this other user had the same problem. Are you saying that it works on your LimeSurvey installation? What version are you using? I'm using Version 2.00+ Build 130122.
Last Edit: 1 year 6 months ago by Sweden.
The administrator has disabled public write access.

Re: Instructions on "Installation security hints" do not seem to apply to version 2! 1 year 6 months ago #92061

  • DenisChenu
  • DenisChenu's Avatar
  • OFFLINE
  • Moderator Lime
  • Posts: 6252
  • Thank you received: 799
  • Karma: 239
Allways last GIT version, but this was unchanged .

Did you have access at the error log of the server ?

Denis
Last Edit: 1 year 6 months ago by DenisChenu.
The administrator has disabled public write access.

Re: Instructions on "Installation security hints" do not seem to apply to version 2! 1 year 6 months ago #92062

  • Sweden
  • Sweden's Avatar
  • OFFLINE
  • Senior Lime
  • Posts: 64
  • Thank you received: 1
  • Karma: 2
It is strange that it works on your installation - the person in the thread I was linking to had the same problem.... and I can't get it to work on both my online and local version of LimeSurvey... I wonder what could be wrong.

Should I give up, and use something else than LimeSurvey (I would be sad about that), or is there anything else I could try?
The administrator has disabled public write access.

Re: Instructions on "Installation security hints" do not seem to apply to version 2! 1 year 6 months ago #92063

  • DenisChenu
  • DenisChenu's Avatar
  • OFFLINE
  • Moderator Lime
  • Posts: 6252
  • Thank you received: 799
  • Karma: 239
Sweden wrote:
Should I give up, and use something else than LimeSurvey (I would be sad about that), or is there anything else I could try?
I already ask:
- Did you have access to your error log

2nd art, you can leave LS if you want, not my problem, but for your information:
- All survey system need a conection string
- A lot of survey system leave the connexion string in the same directory than LS
- LS security risk are fixed 48 hour or less after found.

And again, it's not a security risk here....

Denis
PS: another config here: demonstration.sondages.pro/config.php
Try to view the DB setting, no way and no change from 1.92. Apache don't show it, it's PHP ....
Last Edit: 1 year 6 months ago by DenisChenu. Reason: PS
The administrator has disabled public write access.

Re: Instructions on "Installation security hints" do not seem to apply to version 2! 1 year 6 months ago #92066

  • Sweden
  • Sweden's Avatar
  • OFFLINE
  • Senior Lime
  • Posts: 64
  • Thank you received: 1
  • Karma: 2
Thanks Denis,

I know it isn't your problem, I'm not blaming anyone, but please understand that I can't have a system that may reveal my MySQL database user + password so someone can mess with my data without my knowledge. LS security instructions mention that this could be the result and why I am worried.
I don't know anything better than LimeSurvey - that is why I hope I can fix this problem ;)
If you can make it work on your server then clearly it is a problem on my side and something that I should be able to fix.

I'm not sure where the error log is located. It doesn't generate any error in the error_log located in the limesurvey directory. cPanel got an error log that shows the last 300 errors but there isn't any error at all. Anywhere else I could look?

Thanks again - I really appreciate your help.
Last Edit: 1 year 6 months ago by Sweden.
The administrator has disabled public write access.

Re: Instructions on "Installation security hints" do not seem to apply to version 2! 1 year 6 months ago #92068

  • Sweden
  • Sweden's Avatar
  • OFFLINE
  • Senior Lime
  • Posts: 64
  • Thank you received: 1
  • Karma: 2
I have turned off "display_errors" in my php.ini file so maybe it isn't a problem at all to keep my original, unmodified config.php (with the sensitive information in it) in the limesurvey/application/config directory?

Wouldn't that prevent the browser from revealing my MySQL username and password?


PS: Firebug gives me this error when I use the config.php ---> configreal.php approach that doesn't work for me: "Character encoding not declared in html document". Strange... not sure if it is relevant.
Last Edit: 1 year 6 months ago by Sweden.
The administrator has disabled public write access.

Re: Instructions on "Installation security hints" do not seem to apply to version 2! 1 year 6 months ago #92074

  • DenisChenu
  • DenisChenu's Avatar
  • OFFLINE
  • Moderator Lime
  • Posts: 6252
  • Thank you received: 799
  • Karma: 239
For testing: allways display_error to ON !
Wouldn't that prevent the browser from revealing my MySQL username and password?
Even with display_error to ON, you DB username/password CAN NOT be shown in a browser, expcet if YOU put echo "mypassword" somewhere ....
You DB username/password are shown only if you rename yput php file config.php to config.ini -(for example).
Last Edit: 1 year 6 months ago by DenisChenu.
The administrator has disabled public write access.

Re: Instructions on "Installation security hints" do not seem to apply to version 2! 1 year 6 months ago #92076

  • Sweden
  • Sweden's Avatar
  • OFFLINE
  • Senior Lime
  • Posts: 64
  • Thank you received: 1
  • Karma: 2
Thanks Denis,
For testing: allways display_error to ON !
Yes it should be, but error logging is set to ON.

The strange thing is that, even with display_error = OFF I can provoke an Internal Server Error in my browser window that reveals my webhost username and information about my website structure. This is clearly NOT a problem caused by LimeSurvey - my php.ini file is located at root and doesn't seem to have any effect on LS so I'm not sure if I need to add something to all the .htaccess files in the different LS directories in able to make it work?

BTW: Do you know which MySQL privileges I should give to LimeSurvey? I have "GRANT ALL PRIVILEGES ON" but would prefer the minimum needed. I have another thread about this but the answer I got didn't work.
Last Edit: 1 year 6 months ago by Sweden.
The administrator has disabled public write access.

Re: Instructions on "Installation security hints" do not seem to apply to version 2! 1 year 6 months ago #92081

  • DenisChenu
  • DenisChenu's Avatar
  • OFFLINE
  • Moderator Lime
  • Posts: 6252
  • Thank you received: 799
  • Karma: 239
Sweden wrote:
BTW: Do you know which MySQL privileges I should give to LimeSurvey? I have "GRANT ALL PRIVILEGES ON" but would prefer the minimum needed. I have another thread about this but the answer I got didn't work.
Sorry,
Didn't test completely right limiting with LS.

My DB user have this one limiting to this DB:
SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES, CREATE VIEW, EVENT, TRIGGER, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, EXECUTE

Denis
The administrator has disabled public write access.

Re: Instructions on "Installation security hints" do not seem to apply to version 2! 1 year 6 months ago #92090

  • Sweden
  • Sweden's Avatar
  • OFFLINE
  • Senior Lime
  • Posts: 64
  • Thank you received: 1
  • Karma: 2
That's alright - I got the answer in my other thread here
8 privileges seems to be enough.

I haven't been able to fix the other problem so I will have to use the unmodified config.php file - hope that is okay.

Thanks for your help - LimeSurvey is great and probably much more secure than most similar projects. I just need to secure users private information as much as possible... that's why I'm paranoid :)
Last Edit: 1 year 6 months ago by Sweden.
The administrator has disabled public write access.
  • Page:
  • 1
  • 2
Moderators: ITEd
Time to create page: 0.193 seconds
Donation Image