Welcome, Guest
Username: Password: Remember me
  • Page:
  • 1
  • 2

TOPIC: Instructions on "Installation security hints" do not seem to apply to version 2!

Instructions on "Installation security hints" do not seem to apply to version 2! 3 years 6 days ago #92068

  • Sweden
  • Sweden's Avatar
  • Offline
  • Senior Lime
  • Posts: 72
  • Thank you received: 1
  • Karma: 2
I have turned off "display_errors" in my php.ini file so maybe it isn't a problem at all to keep my original, unmodified config.php (with the sensitive information in it) in the limesurvey/application/config directory?

Wouldn't that prevent the browser from revealing my MySQL username and password?


PS: Firebug gives me this error when I use the config.php ---> configreal.php approach that doesn't work for me: "Character encoding not declared in html document". Strange... not sure if it is relevant.
Last Edit: 3 years 6 days ago by Sweden.
The administrator has disabled public write access.

Instructions on "Installation security hints" do not seem to apply to version 2! 3 years 5 days ago #92074

  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • Moderator Lime
  • Posts: 8195
  • Thank you received: 1117
  • Karma: 331
For testing: allways display_error to ON !
Wouldn't that prevent the browser from revealing my MySQL username and password?
Even with display_error to ON, you DB username/password CAN NOT be shown in a browser, expcet if YOU put echo "mypassword" somewhere ....
You DB username/password are shown only if you rename yput php file config.php to config.ini -(for example).
Last Edit: 3 years 5 days ago by DenisChenu.
The administrator has disabled public write access.

Instructions on "Installation security hints" do not seem to apply to version 2! 3 years 5 days ago #92076

  • Sweden
  • Sweden's Avatar
  • Offline
  • Senior Lime
  • Posts: 72
  • Thank you received: 1
  • Karma: 2
Thanks Denis,
For testing: allways display_error to ON !
Yes it should be, but error logging is set to ON.

The strange thing is that, even with display_error = OFF I can provoke an Internal Server Error in my browser window that reveals my webhost username and information about my website structure. This is clearly NOT a problem caused by LimeSurvey - my php.ini file is located at root and doesn't seem to have any effect on LS so I'm not sure if I need to add something to all the .htaccess files in the different LS directories in able to make it work?

BTW: Do you know which MySQL privileges I should give to LimeSurvey? I have "GRANT ALL PRIVILEGES ON" but would prefer the minimum needed. I have another thread about this but the answer I got didn't work.
Last Edit: 3 years 5 days ago by Sweden.
The administrator has disabled public write access.

Instructions on "Installation security hints" do not seem to apply to version 2! 3 years 4 days ago #92081

  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • Moderator Lime
  • Posts: 8195
  • Thank you received: 1117
  • Karma: 331
Sweden wrote:
BTW: Do you know which MySQL privileges I should give to LimeSurvey? I have "GRANT ALL PRIVILEGES ON" but would prefer the minimum needed. I have another thread about this but the answer I got didn't work.
Sorry,
Didn't test completely right limiting with LS.

My DB user have this one limiting to this DB:
SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES, CREATE VIEW, EVENT, TRIGGER, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, EXECUTE

Denis
The administrator has disabled public write access.

Instructions on "Installation security hints" do not seem to apply to version 2! 3 years 4 days ago #92090

  • Sweden
  • Sweden's Avatar
  • Offline
  • Senior Lime
  • Posts: 72
  • Thank you received: 1
  • Karma: 2
That's alright - I got the answer in my other thread here
8 privileges seems to be enough.

I haven't been able to fix the other problem so I will have to use the unmodified config.php file - hope that is okay.

Thanks for your help - LimeSurvey is great and probably much more secure than most similar projects. I just need to secure users private information as much as possible... that's why I'm paranoid :)
Last Edit: 3 years 4 days ago by Sweden.
The administrator has disabled public write access.
  • Page:
  • 1
  • 2
Moderators: ITEd
Time to create page: 0.177 seconds