Check out the LimeSurvey source code on GitHub!

Instructions on "Installation security hints" do not seem to apply to version 2!

More
4 years 3 weeks ago - 4 years 3 weeks ago #92068 by Sweden
I have turned off "display_errors" in my php.ini file so maybe it isn't a problem at all to keep my original, unmodified config.php (with the sensitive information in it) in the limesurvey/application/config directory?

Wouldn't that prevent the browser from revealing my MySQL username and password?


PS: Firebug gives me this error when I use the config.php ---> configreal.php approach that doesn't work for me: "Character encoding not declared in html document". Strange... not sure if it is relevant.
Last Edit: 4 years 3 weeks ago by Sweden.

Please Log in to join the conversation.

More
4 years 3 weeks ago - 4 years 3 weeks ago #92074 by DenisChenu
For testing: allways display_error to ON !

Wouldn't that prevent the browser from revealing my MySQL username and password?

Even with display_error to ON, you DB username/password CAN NOT be shown in a browser, expcet if YOU put echo "mypassword" somewhere ....
You DB username/password are shown only if you rename yput php file config.php to config.ini -(for example).

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand (or search sondages pro).
Last Edit: 4 years 3 weeks ago by DenisChenu.

Please Log in to join the conversation.

More
4 years 3 weeks ago - 4 years 3 weeks ago #92076 by Sweden
Thanks Denis,

For testing: allways display_error to ON !

Yes it should be, but error logging is set to ON.

The strange thing is that, even with display_error = OFF I can provoke an Internal Server Error in my browser window that reveals my webhost username and information about my website structure. This is clearly NOT a problem caused by LimeSurvey - my php.ini file is located at root and doesn't seem to have any effect on LS so I'm not sure if I need to add something to all the .htaccess files in the different LS directories in able to make it work?

BTW: Do you know which MySQL privileges I should give to LimeSurvey? I have "GRANT ALL PRIVILEGES ON" but would prefer the minimum needed. I have another thread about this but the answer I got didn't work.
Last Edit: 4 years 3 weeks ago by Sweden.

Please Log in to join the conversation.

More
4 years 2 weeks ago #92081 by DenisChenu

Sweden wrote: BTW: Do you know which MySQL privileges I should give to LimeSurvey? I have "GRANT ALL PRIVILEGES ON" but would prefer the minimum needed. I have another thread about this but the answer I got didn't work.

Sorry,
Didn't test completely right limiting with LS.

My DB user have this one limiting to this DB:
SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES, CREATE VIEW, EVENT, TRIGGER, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, EXECUTE

Denis

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand (or search sondages pro).

Please Log in to join the conversation.

More
4 years 2 weeks ago - 4 years 2 weeks ago #92090 by Sweden
That's alright - I got the answer in my other thread here
8 privileges seems to be enough.

I haven't been able to fix the other problem so I will have to use the unmodified config.php file - hope that is okay.

Thanks for your help - LimeSurvey is great and probably much more secure than most similar projects. I just need to secure users private information as much as possible... that's why I'm paranoid :)
Last Edit: 4 years 2 weeks ago by Sweden.

Please Log in to join the conversation.

Imprint                   Privacy policy         General Terms & Conditions         Revocation information and revocation form