Phorum 3.0 Security HOW-TO (Apache/Unix specific) Original Author: Jason Birch Date: May 12, 1999 Version: 1.0 Contents: I) Introduction II) Dedicated Server Security 1) change the config file's extension 2) deny access to the file via .htaccess 3) move the file outside the web tree III) Shared Server Security 1) running the scripts under your userid 2) setting appropriate file access permissions IV) Securing the Administrator Script 1) restricting access by filename 2) moving the admin script to a secure directory V) Conclusion I) Introduction: These instructions are not meant to be a replacement for a good understanding of web security. They will allow you to set up a reasonably secure Phorum install, but do not count on them to cover everything. Take responsibility for the integrity of your web site... Learn the security basics, and remember: a little paranoia is a good thing. It is important to implement some form of security measures around your Phorum installation. Without these, a malicious user could break into your Phorum and change it or delete it. The basic problem is that web servers usually run on unix machines as "nobody", but the Phorum scripts run by the web server need to have access to the Phorum configuration file. However, the Phorum files are generally owned by a real user. The only way that a script running as "nobody" can access and update this file is if the user grants world read-write permissions to it. As you might imagine, this opens up several security holes which need to be plugged. There are several methods of doing so, depending on whether you are running Phorum on a dedicated server or a shared server (i.e. other users could have access to your directories via telnet or FTP). Another potential security hole is users guessing your password by loading the admin.php3 script. Restricting access to your administrative functions is something that should be done regardless of what type of server you are on. As well as securing your installation, you should also prepare for the worst. If possible, place all of your phorum tables in a separate database created exclusively for this purpose, and give it a different username and password than your other databases. If this is done, the worst that can happen if your security is hacked is that you loose your Phorum (you are making regular backups aren't you?). Otherwise you might loose valuable business data (such as traffic counts) or even your entire site if you are generating it dynamically. Apache-specific examples of implementing a decent level of security are included below. If you are not running Apache, you should read them as a starting point for implementing similar measures on your server. Most of the the examples assume that you have access to directory-level server directives via an .htaccess file. If you do not, you should fix it (if you can) or consider moving to a server that does. II) Dedicated Server Security If trusted local users are the only ones that have login access to your server via telnet/ftp/etc., then securing your Phorum install is a relatively simple task. You only need to make sure that the web server will not allow direct access to your configuration files. If the web user types in "http://yourserver.com/Phorum/forums.inf" the file should not be displayed. There are (at least) three ways of doing this: 1) Rename the config file with an extension that is parsed by PHP. This could be one of .php3, .php, .phtml, or others depending on your server setup. The only drawback to this is that if for some reason the server stops sending those extensions to the PHP parser, then the file will be directly readable. This probably won't matter much to you at the time because your Phorum install will be severly broken, but users could break in easily and wait for your Phorum to come back up. If you do this, you will need to change these lines in common.inc that reads as follows: $inf_file="$inf_path"."forums.inf"; $inf_back="$inf_path"."forums.bak.inf"; to: $inf_file="$inf_path"."forums.inf.php3"; $inf_back="$inf_path"."forums.bak.php3"; where "forums.inf.php3" and "forums.bak.php3" include whatever extension you decided on. 2) Deny access to the files using a server directive placed in a files called ".htaccess" (or whatever your provider has changed this to) placed in the Phorum install directory. In it should be placed the lines: Order Deny,Allow Deny From All Order Deny,Allow Deny From All You should place similar lines in the file for any other sensitive configuration files. This suffers from a similar drawback to option 1. If for some reason you lose .htaccess privileges, your files are again readable from the browser, and this time your Phorums will keep working as if nothing is wrong. 3) Move the configuration files outside the web tree, for example into your user directory. This level of security is all that is required on a dedicated server, and can be done in two steps: a) Create a directory outside of your web tree and give it world read-write permissions (chmod 707 --> if you don't know what this means, read the chmod man page by typing "man chmod" at the unix prompt) e.g. cd ~ mkdir .Phorum chmod 707 .Phorum b) modify the file common.inc in the Phorum install directory, changing the $inf_path variable (near the bottom): $inf_path="/your/home/directory/.Phorum/"; III) Shared Server Security If you want to run Phorum on a shared server, you absolutely need to wrap the scripts... unless, of course, your provider makes all of your scripts run as your userid. In this case, ignore this step and just chmod 700 all of your Phorum files. You may also want to ensure that the inf files are being written as mode 700 by adding the line "umask(0077);" to the admin.php3 script near the beginning of the function writefile(). What "wrapping" means is to have the .php3 scripts executed under your userid instead of the web server's default "nobody". This is because, no matter how well you hide the script (e.g. in a directory that's chmod 711), any user on your server could create a script that is run as "nobody" by the web server which could alter or remove your config files. This is especially bad on a shared server because the config file could also give the user access to your database passwords which, in many cases, will let them mess with more than just your Phorum tables. On a shared server, your provider should be "providing" you with a secure and PHP-friendly script wrapper. If they are not, you should either not run scripts like Phorum that read/write files that include passwords or you should move to another provider. 1) Wrapping the scripts: With apache,it is moderately easy to wrap your php scripts, and you don't even need to change the script extensions. You do, however, need to have a copy of the CGI version of PHP3 available in your cgi-bin directory. You first need to set up an Addtype in the .htaccess file which resides in your Phorum install directory. This setting overrides the default .php3 setting: AddType application/x-httpd-wphp php3 And then set up an action for this new type: Action application/x-httpd-wphp /cgi-sys/php-cgiwrap/username/php3.cgi In this case, php-cgiwrap is the wrapper script, and it runs the PHP parser with user permissions in the specified user's cgi-bin directory. You will also want to ensure that the inf files are being written as mode 700 by adding the line "umask(0077);" to the admin.php3 script near the beginning of the function writefile(). 2) Setting appropriate permissions: All files except .htaccess and the images directory (which the web server needs to read directly) should be chmod 600. The .htaccess file should be chmod 604, and the images directory should be chmod 705. The files in the images directory can be chmod 604. The beauty of this method is that no matter what happens to the web server, your files can not be directly accessed by anyone but you or a script running as you. IV) Securing the Admin Script You can restrict access to your admin.php3 script in one of two ways. They are both equally effective, choose the one you prefer. These examples assume that you have set up web user accounts in a directory called "webaccess" off your home directory. This can be done using the htpasswd utility (man htpasswd for instructions). The passwd and passwd.group files must be world readable (chmod 604) so that the web server can access them for authorization. The passwords are encrypted, but do not place the files in your web tree to tempt password crackers. 1) Restrict access based on filename. Place the following lines in your .htaccess file. AuthUserFile /usr/users/yourname/webaccess/passwd AuthGroupFile /usr/users/yourname/webaccess/passwd.group AuthName "Phorum administration" AuthType Basic require group admin 2) Move the admin script to a password-protected directory. a) Place the following lines in the new directory's .htaccess file: AuthUserFile /usr/users/yourname/webaccess/passwd AuthGroupFile /usr/users/yourname/webaccess/passwd.group AuthName "Phorum administration" AuthType Basic require group owners b) Modify the path to the config files in the admin.php3 script: Change: include "./common.inc"; To: include "/path/to/Phorum/install/common.inc"; c) Make sure to specify the correct value for the "forum URL" in the admin screen. V) Conclusion I hope that this document has given you some understanding on how to secure your Phorum install. After reading this document and implementing all the steps recommended in it, your Phorums will be as secure as I know how to make them. However, there may be something that I am missing. You should make the effort to learn about web security for yourself and, if you find any mistakes in this document, please forward them to me for correction.