Safe Mode Requirement

[cheesegrits]

I notice that one of the requirements is "safe mode off." Is this new for 2.1.2, or has this always been a requirement for 'plog? the reason I ask is one of our servers got hacked over the weekend, and it looks like running PHP without safe mode was the culprit. So I'm looking at having to enable safe mode on all my sites. I got a couple of them fixed, uploading attachments still works, etc. Even got vbSEO working in safe mode, with a few changes to .htaccess.

But 'plog is installed on the one site I haven't switched to safe mode yet.

What features of 'plog rely on safe mode being off?

-- hugh

[Morgan]

Safe mode being off has always been a requirement. It's just listed again with the other requirements. IMHO if anyone wants a gallery, storing files in a database or restricted directory isn't the way to go, as it's too much overhead or lacks flexibility. Personally speaking, I don't think PHP not in safe mode was the problem with your server being hacked. It's more likely that it was due to a bad script or old version of something or other. PhotoPlog needs safe mode off to process files. If you take a run through the code, it is unlikely, though not impossible as I'm not perfect, that you will find a tainted variable. If you have mod_rewrite abilities, this has always been a gem to stick in an htaccess file:

Code:

Content visible to registered users only.

[cheesegrits]

Morgan - please feel free to move this into a different thread, I really don't want to clutter up the release thread with safe mode discussions!

Code:

Content visible to registered users only.

As long as GUID mode is selected rather than UID mode, there's really nothing that restrictive about safe mode when it comes to file uploading and manipulation. It's just a case of being careful about directory / file ownership and permissions.

Code:

Content visible to registered users only.

There is some fairly clear evidence in the logs that PHP was the culprit in the attack. I run the ISP where the server is located, so I also have all the router and firewall logs covering that time fram, and they all point to the same cause. What concerns me is that the server in question was a fresh, vanilla install of vB 3.6.2 with CMPS 2.1.2. No hacks, mods or other scripts. So I'm trying to find the time to do a full post-mortem, and if necessary talk to the vB or CMPS folk.

Code:

Content visible to registered users only.

So what does this do / protect against?

-- hugh

[Morgan]

It gives an access denied when http:// is part of a query string.

[cheesegrits]

Code:

Content visible to registered users only.

That might help. It's beginning to look like it may have been a cross site hack between vB and openwebmail running on a different virtual domain.

-- hugh