Could someone please take a look at this issue "bugs.limesurvey.org/view.php?id=6771" - I believe the problem is still there. I have changed config.php as described under "Other security issues" ("docs.limesurvey.org/Installation+securit...tions+for+LimeSurvey") and because of that I can no longer login to admin - all I get is a blank page.

Please help - I don't want to use LimeSurvey in an insecure way!
Thanks

The actual doc is for 2.0.

Denis

Thanks Denis, not sure what you mean by that? I have installed the newest version of LimeSurvey yesterday and the instructions don't seem to work... perhaps it works on your server?

I tried to insert echo commands in the configreal.php (placed in a non-web directory) - I get a message if I place the echo command in the beginning of the file, I get none if I place it at the bottom. I guess that means that my modified config.php file points to my configreal.php file but somehow this file doesn't get to the end.

I really hope someone can answer this question - I don't want the risk of sharing my MySQL username and password with the whole world! I can't be the only one with this concern...

BTW: Another thing, my LimeSurvey MySQL user account/database have "GRANT ALL PRIVILEGES ON". What is the minimum needed?

What a shame no one can look into this issue...

I also haven't got an answer on one of my other security related issues. Although I know LimeSurvey is based on free work I do think security issues should have a higher priority than anything else. It makes no sense to have a great system if someone can hack into it and mess with the data.

I found another post that someone made a long time ago about the same problem and no one gave him an answer. I really like LimeSurvey but I'm afraid to use it because of this security issue.

Working with some change.

In config file, look at:
And replace 'routes' by '/yourlimesurveyinstallationdir//application/config/routes.php'.
There are not a big security issue here, except for server without good security. Mine for example comletely seperate each user apache server, no access at other user file (excetp for root, but root is root, and root can not connect to my server).

Here, with access to log file, it's very easy to view the problem. If you don't have access to your logfile, or don't understand your logfile, maybe best is to ask at a professionnal server administrator.

Denis
PS: Other_security_issues updated.
PS2: mysql user are not accessible by the "all world" but only by user some the server. If the server is good: only you and root)

Thanks for your help DenisChenu but I tried your suggestion and it didn't make any difference.

My config.php file works when it is in the config folder so I guess that means that everything but the path is right. I have installed LimeSurvey on an addon website.
This is the path I use in configreal.php in general (I have replaced my username with x1x1x1x1):

/home/x1x1x1x1/public_html/addonwebsite.com/myLimeSurveyFolder/....

Is this the right way to do it?

Thanks.


BTW: I think you should change:
'rules' => require('/var/www/htdocs/limesurvey/routes.php'),
to
'rules' => require('/var/www/htdocs/limesurvey/application/config/routes.php'),
in Other_security_issues to avoid confusion.

I can't tell you what is your server systme.

You can add a test file in your limesurvey installation with
echo "dirname(__FILE__)";

And see your path.

Maybe your hoster restrict this operation, can't tell.

Denis

Thanks again, I tried that (without the "") and the path is right so that is not the problem...

Can you confirm that my problem with the config.php/configreal.php is a general problem?
Does it work on your installation?

Yes,

Tested, and found the error.

Try this:
put this in your configreal.php

If you see "TEST" on all page of LimeSUrvey, it's a problem with your configreal, if not, this file is not included in your config.php.

Denis
PS: put the content of your config.php here.