PhotoPost PHP Pro 7.01 Security Questions

DHewes · January 15th, 2010, 08:00 PM

I am brand new to Photopost. Just installed a new vBulletin 4.0.1 Full CMS website, purchased and am now installing PhotoPost PHP Pro 7.01. It does not appear to be a huge challenge (though I am just now FTPing the files) but the documentation is clearly written for a previous version. (At least it exists, most of the vB stuff doesn't yet). My question is about security. While there is mention in the online docs of what to CHMOD everything, there is very little mention of what files/folder can be deleted (or never uploaded). For example, there is no reason in the world that the documentation folder needs to be on the server., though this is never mentioned in the documentation. Has anyone complied a list of every file/folder that can just be deleted after a successful install? Any post-install CHMOD's to restrict access? Any folders that I can safely password protect that will not affect functionality?

I have been hit too hard too many times in the past and always due to a script (usually Subdreamer) that had a hole - and just doing everything I can this time to prevent that. I would greatly appreciate any advice anyone has.

Chuck S · January 15th, 2010, 08:24 PM

You dont need to upload documentation sure but everything else as noted needs to be uploaded as in the install instructions.

I beleive the install documentation clearly defined the files you want to remove basically install.php and upgrade.php everything else stays.

PhotoPost PHP Photo Sharing Photo Gallery Installation Guide

DHewes · January 15th, 2010, 08:37 PM

Also, in the configuration after the fact, can things like the upload directory be located ABOVE the web document root, like with the attachments directory in vB itself, to prevent access?

Chuck S · January 15th, 2010, 08:39 PM

You can try that although personally I have never tried that since its merely a tmp directory that only houses files while they are being processed.

DHewes · January 15th, 2010, 08:43 PM

Chuck - not a big deal, but actually there is no mention to remove the upgrade.php file when doing a clean install, nor is the documentation folder ever mentioned. Both of these were fairly obvious, but if you update your docs, its something to note. Also there is no note to change permissions back to 644 on teh config-inc.php and config-int.php files. I am assuming that there is no way in he** you want these left at 777 (change only if changing the settings).

However, I would like to note that the install was very easy and went very smoothly.

Chuck S · January 15th, 2010, 10:42 PM

Quote:

PhotoPost installation is now complete. Be sure you remove your install.php file (and the various upgradeXX.php/.sql)files) from your server's PhotoPost directory to prevent malicious users from altering your PhotoPost settings.

Interesting I see this right in the install page I linked you.

Actually the config files in the instructions state to make writable which is 666 not 777 and if you have any need to edit config settings in the admin panel you want these at 666 but otherwise 644 is fine.