Instructions on "Installation security hints" do not seem to apply to version 2!

More
4 years 1 month ago - 4 years 1 month ago #92060 by Sweden
Thanks for your suggestion Denis - isn't your command similar to using echo "test"? I have already done that and I do get the "test" message - meaning that my configreal.php file is being found by config.php.

I just tried to see if I could replicate this issue on my local version of LimeSurvey and it is the same here - I get a blank screen.

I found this thread and this other user had the same problem. Are you saying that it works on your LimeSurvey installation? What version are you using? I'm using Version 2.00+ Build 130122.
Last Edit: 4 years 1 month ago by Sweden.

Please Log in to join the conversation.

More
4 years 1 month ago - 4 years 1 month ago #92061 by DenisChenu
Allways last GIT version, but this was unchanged .

Did you have access at the error log of the server ?

Denis

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand (or search sondages pro).
Last Edit: 4 years 1 month ago by DenisChenu.

Please Log in to join the conversation.

More
4 years 1 month ago #92062 by Sweden
It is strange that it works on your installation - the person in the thread I was linking to had the same problem.... and I can't get it to work on both my online and local version of LimeSurvey... I wonder what could be wrong.

Should I give up, and use something else than LimeSurvey (I would be sad about that), or is there anything else I could try?

Please Log in to join the conversation.

More
4 years 1 month ago - 4 years 1 month ago #92063 by DenisChenu

Sweden wrote: Should I give up, and use something else than LimeSurvey (I would be sad about that), or is there anything else I could try?

I already ask:
- Did you have access to your error log

2nd art, you can leave LS if you want, not my problem, but for your information:
- All survey system need a conection string
- A lot of survey system leave the connexion string in the same directory than LS
- LS security risk are fixed 48 hour or less after found.

And again, it's not a security risk here....

Denis
PS: another config here: demonstration.sondages.pro/config.php
Try to view the DB setting, no way and no change from 1.92. Apache don't show it, it's PHP ....

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand (or search sondages pro).
Last Edit: 4 years 1 month ago by DenisChenu. Reason: PS

Please Log in to join the conversation.

More
4 years 1 month ago - 4 years 1 month ago #92066 by Sweden
Thanks Denis,

I know it isn't your problem, I'm not blaming anyone, but please understand that I can't have a system that may reveal my MySQL database user + password so someone can mess with my data without my knowledge. LS security instructions mention that this could be the result and why I am worried.
I don't know anything better than LimeSurvey - that is why I hope I can fix this problem ;)
If you can make it work on your server then clearly it is a problem on my side and something that I should be able to fix.

I'm not sure where the error log is located. It doesn't generate any error in the error_log located in the limesurvey directory. cPanel got an error log that shows the last 300 errors but there isn't any error at all. Anywhere else I could look?

Thanks again - I really appreciate your help.
Last Edit: 4 years 1 month ago by Sweden.

Please Log in to join the conversation.

More
4 years 1 month ago - 4 years 1 month ago #92068 by Sweden
I have turned off "display_errors" in my php.ini file so maybe it isn't a problem at all to keep my original, unmodified config.php (with the sensitive information in it) in the limesurvey/application/config directory?

Wouldn't that prevent the browser from revealing my MySQL username and password?


PS: Firebug gives me this error when I use the config.php ---> configreal.php approach that doesn't work for me: "Character encoding not declared in html document". Strange... not sure if it is relevant.
Last Edit: 4 years 1 month ago by Sweden.

Please Log in to join the conversation.

More
4 years 1 month ago - 4 years 1 month ago #92074 by DenisChenu
For testing: allways display_error to ON !

Wouldn't that prevent the browser from revealing my MySQL username and password?

Even with display_error to ON, you DB username/password CAN NOT be shown in a browser, expcet if YOU put echo "mypassword" somewhere ....
You DB username/password are shown only if you rename yput php file config.php to config.ini -(for example).

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand (or search sondages pro).
Last Edit: 4 years 1 month ago by DenisChenu.

Please Log in to join the conversation.

More
4 years 1 month ago - 4 years 1 month ago #92076 by Sweden
Thanks Denis,

For testing: allways display_error to ON !

Yes it should be, but error logging is set to ON.

The strange thing is that, even with display_error = OFF I can provoke an Internal Server Error in my browser window that reveals my webhost username and information about my website structure. This is clearly NOT a problem caused by LimeSurvey - my php.ini file is located at root and doesn't seem to have any effect on LS so I'm not sure if I need to add something to all the .htaccess files in the different LS directories in able to make it work?

BTW: Do you know which MySQL privileges I should give to LimeSurvey? I have "GRANT ALL PRIVILEGES ON" but would prefer the minimum needed. I have another thread about this but the answer I got didn't work.
Last Edit: 4 years 1 month ago by Sweden.

Please Log in to join the conversation.

More
4 years 1 month ago #92081 by DenisChenu

Sweden wrote: BTW: Do you know which MySQL privileges I should give to LimeSurvey? I have "GRANT ALL PRIVILEGES ON" but would prefer the minimum needed. I have another thread about this but the answer I got didn't work.

Sorry,
Didn't test completely right limiting with LS.

My DB user have this one limiting to this DB:
SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES, CREATE VIEW, EVENT, TRIGGER, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, EXECUTE

Denis

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand (or search sondages pro).

Please Log in to join the conversation.

More
4 years 1 month ago - 4 years 1 month ago #92090 by Sweden
That's alright - I got the answer in my other thread here
8 privileges seems to be enough.

I haven't been able to fix the other problem so I will have to use the unmodified config.php file - hope that is okay.

Thanks for your help - LimeSurvey is great and probably much more secure than most similar projects. I just need to secure users private information as much as possible... that's why I'm paranoid :)
Last Edit: 4 years 1 month ago by Sweden.

Please Log in to join the conversation.