Links of Interest
PHP'ers:
Ben Ramsey
Brandon Savage
Cal Evans
Chris Shiflett
Eli White
Elizabeth Naramore
Joe LeBlanc
Justin Thorp
Mike Naberezny
Rasmus Lerdorf
Tony Bibbs
Zend Blogs
Zend DevZone
DC Social Media:
Aaron Brazell
Geoff Livingston
Jessie X
Ken Yeung
New Media Jim
Shashi B
Social Times
Technologists:
Jimmy Gardner
O'Reilly Radar
Scott Berkun
Steve McConnell
Business/mISV:
Bob Walsh
Eric Sink
Gavin Bowman
Guy Kawasaki
Joel Spolsky
Micah Baldwin
Paul Graham
Planet mISV
Past Projects:
CodeSnipers
HOBY
Judicial Watch
mobile Fox Affiliates
mobile FoxNews.com
MyDearJohnLetter
NRTW
techRepublican
Great Tools I use:
BaseCamp
Drupal
getClicky
Highrise
phpUnit
Qcodo
Subversion
web2Project
Zend Framework
User login
This is not the home of dotProject. It is the home of CaseySoftware, LLC. Any dotProject support questions should be referred to their support forums.
Recent blog posts
Recent comments
- awww
1 day 23 hours ago - Plan your wardrobe++ again....
2 days 16 hours ago - Thanks
6 days 23 hours ago - Looking forward to the
1 week 17 hours ago - Non-Competes in Virginia
1 week 1 day ago - please help me!!!!!!!!!!
1 week 3 days ago - problems importing large projects
1 week 6 days ago - Hostile Work Environment
4 weeks 18 hours ago - The best of the best
8 weeks 1 day ago - ZendCon 2008 Slides
8 weeks 2 days ago
Popular content
Ads
Date: 9 October, 2006 - 03:00
It seems like in the past year or so, security has come to the forefront of everyone's mind. Prior to this, most developers and organizations seemed to see it as a "nice to have" instead of a "must have". While I think this naivety hurt the community as a whole, we have the opportunity to redeem ourselves. Therefore, I offer an updated .htaccess for all dotProject users:
A new .htaccess file.
Just download this, place it in the root of your dotProject install, and rename to ".htaccess".*
As I've been looking at improvements to dotProject, I looked at the root of our two security problems and there were two common threads: First, they were both dependent on inappropriate access to files outside the normal structure. Second, they were both dependent on register globals. I don't know of any additional dotProject security issues open at the moment, but I wanted to head them off...
The second issue was resolved a while back. Previously, we encouraged users to turn off register_globals at the PHP level and assumed they did it. Unfortunately, between users who don't have access or don't know how to tweak their php.ini this was not foolproof at all. Therefore, Cyberhorse set these to off right here in .htaccess just in case. Half of the hole was closed, but there was still an opportunity for trouble.
As I dug into the problem recently, I decided to look at how other applications dealt with the problem... and Drupal seemed to do it the best. I ripped apart their model and customized it for how dotProject works and flows. Basically, the model of denying everything and then only allowing certain access points into the system. Therefore, now if someone tries to get direct access to individual modules, classes, or any other php or sql files, they're immediately blocked.
Although this is a big step forward, it isn't the end of the process. The security, validation, etc that happens in the code has to stay, and all of us still have to intelligently apply these and new principles as we go. I already have one additional layer I'd like to add...
* As noted in the htaccess.txt file, if you are using certain tools such as the Task Tracker for the Yahoo Widget Engine, you will have to make adjustments to the second FilesMatch block.
Joomla is also cracking down...
In the latest maintenance release, Joomla started to crack down on register_globals usage as well. They have a backwards compatibility mode for older components, but this is going away with the next major release.
Security Improvements
It's good to see various improvements happening throughout the community. It's about time that more people/groups take it seriously.
Post new comment