Welcome, Guest
Username: Password: Remember me
  • Page:
  • 1
  • 2

TOPIC: Instructions on "Installation security hints" do not seem to apply to version 2!

Instructions on "Installation security hints" do not seem to apply to version 2! 2 years 6 months ago #92060

  • Sweden
  • Sweden's Avatar
  • Offline
  • Senior Lime
  • Posts: 72
  • Thank you received: 1
  • Karma: 2
Thanks for your suggestion Denis - isn't your command similar to using echo "test"? I have already done that and I do get the "test" message - meaning that my configreal.php file is being found by config.php.

I just tried to see if I could replicate this issue on my local version of LimeSurvey and it is the same here - I get a blank screen.

I found this thread and this other user had the same problem. Are you saying that it works on your LimeSurvey installation? What version are you using? I'm using Version 2.00+ Build 130122.
Last Edit: 2 years 6 months ago by Sweden.
The administrator has disabled public write access.

Instructions on "Installation security hints" do not seem to apply to version 2! 2 years 6 months ago #92061

  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • Moderator Lime
  • Posts: 7480
  • Thank you received: 1019
  • Karma: 295
Allways last GIT version, but this was unchanged .

Did you have access at the error log of the server ?

Denis
Last Edit: 2 years 6 months ago by DenisChenu.
The administrator has disabled public write access.

Instructions on "Installation security hints" do not seem to apply to version 2! 2 years 6 months ago #92062

  • Sweden
  • Sweden's Avatar
  • Offline
  • Senior Lime
  • Posts: 72
  • Thank you received: 1
  • Karma: 2
It is strange that it works on your installation - the person in the thread I was linking to had the same problem.... and I can't get it to work on both my online and local version of LimeSurvey... I wonder what could be wrong.

Should I give up, and use something else than LimeSurvey (I would be sad about that), or is there anything else I could try?
The administrator has disabled public write access.

Instructions on "Installation security hints" do not seem to apply to version 2! 2 years 6 months ago #92063

  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • Moderator Lime
  • Posts: 7480
  • Thank you received: 1019
  • Karma: 295
Sweden wrote:
Should I give up, and use something else than LimeSurvey (I would be sad about that), or is there anything else I could try?
I already ask:
- Did you have access to your error log

2nd art, you can leave LS if you want, not my problem, but for your information:
- All survey system need a conection string
- A lot of survey system leave the connexion string in the same directory than LS
- LS security risk are fixed 48 hour or less after found.

And again, it's not a security risk here....

Denis
PS: another config here: demonstration.sondages.pro/config.php
Try to view the DB setting, no way and no change from 1.92. Apache don't show it, it's PHP ....
Last Edit: 2 years 6 months ago by DenisChenu. Reason: PS
The administrator has disabled public write access.

Instructions on "Installation security hints" do not seem to apply to version 2! 2 years 6 months ago #92066

  • Sweden
  • Sweden's Avatar
  • Offline
  • Senior Lime
  • Posts: 72
  • Thank you received: 1
  • Karma: 2
Thanks Denis,

I know it isn't your problem, I'm not blaming anyone, but please understand that I can't have a system that may reveal my MySQL database user + password so someone can mess with my data without my knowledge. LS security instructions mention that this could be the result and why I am worried.
I don't know anything better than LimeSurvey - that is why I hope I can fix this problem ;)
If you can make it work on your server then clearly it is a problem on my side and something that I should be able to fix.

I'm not sure where the error log is located. It doesn't generate any error in the error_log located in the limesurvey directory. cPanel got an error log that shows the last 300 errors but there isn't any error at all. Anywhere else I could look?

Thanks again - I really appreciate your help.
Last Edit: 2 years 6 months ago by Sweden.
The administrator has disabled public write access.

Instructions on "Installation security hints" do not seem to apply to version 2! 2 years 6 months ago #92068

  • Sweden
  • Sweden's Avatar
  • Offline
  • Senior Lime
  • Posts: 72
  • Thank you received: 1
  • Karma: 2
I have turned off "display_errors" in my php.ini file so maybe it isn't a problem at all to keep my original, unmodified config.php (with the sensitive information in it) in the limesurvey/application/config directory?

Wouldn't that prevent the browser from revealing my MySQL username and password?


PS: Firebug gives me this error when I use the config.php ---> configreal.php approach that doesn't work for me: "Character encoding not declared in html document". Strange... not sure if it is relevant.
Last Edit: 2 years 6 months ago by Sweden.
The administrator has disabled public write access.

Instructions on "Installation security hints" do not seem to apply to version 2! 2 years 6 months ago #92074

  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • Moderator Lime
  • Posts: 7480
  • Thank you received: 1019
  • Karma: 295
For testing: allways display_error to ON !
Wouldn't that prevent the browser from revealing my MySQL username and password?
Even with display_error to ON, you DB username/password CAN NOT be shown in a browser, expcet if YOU put echo "mypassword" somewhere ....
You DB username/password are shown only if you rename yput php file config.php to config.ini -(for example).
Last Edit: 2 years 6 months ago by DenisChenu.
The administrator has disabled public write access.

Instructions on "Installation security hints" do not seem to apply to version 2! 2 years 6 months ago #92076

  • Sweden
  • Sweden's Avatar
  • Offline
  • Senior Lime
  • Posts: 72
  • Thank you received: 1
  • Karma: 2
Thanks Denis,
For testing: allways display_error to ON !
Yes it should be, but error logging is set to ON.

The strange thing is that, even with display_error = OFF I can provoke an Internal Server Error in my browser window that reveals my webhost username and information about my website structure. This is clearly NOT a problem caused by LimeSurvey - my php.ini file is located at root and doesn't seem to have any effect on LS so I'm not sure if I need to add something to all the .htaccess files in the different LS directories in able to make it work?

BTW: Do you know which MySQL privileges I should give to LimeSurvey? I have "GRANT ALL PRIVILEGES ON" but would prefer the minimum needed. I have another thread about this but the answer I got didn't work.
Last Edit: 2 years 6 months ago by Sweden.
The administrator has disabled public write access.

Instructions on "Installation security hints" do not seem to apply to version 2! 2 years 6 months ago #92081

  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • Moderator Lime
  • Posts: 7480
  • Thank you received: 1019
  • Karma: 295
Sweden wrote:
BTW: Do you know which MySQL privileges I should give to LimeSurvey? I have "GRANT ALL PRIVILEGES ON" but would prefer the minimum needed. I have another thread about this but the answer I got didn't work.
Sorry,
Didn't test completely right limiting with LS.

My DB user have this one limiting to this DB:
SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES, CREATE VIEW, EVENT, TRIGGER, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, EXECUTE

Denis
The administrator has disabled public write access.

Instructions on "Installation security hints" do not seem to apply to version 2! 2 years 6 months ago #92090

  • Sweden
  • Sweden's Avatar
  • Offline
  • Senior Lime
  • Posts: 72
  • Thank you received: 1
  • Karma: 2
That's alright - I got the answer in my other thread here
8 privileges seems to be enough.

I haven't been able to fix the other problem so I will have to use the unmodified config.php file - hope that is okay.

Thanks for your help - LimeSurvey is great and probably much more secure than most similar projects. I just need to secure users private information as much as possible... that's why I'm paranoid :)
Last Edit: 2 years 6 months ago by Sweden.
The administrator has disabled public write access.
  • Page:
  • 1
  • 2
Moderators: ITEd
Time to create page: 0.168 seconds