fafakan Posted May 5, 2011 Report Posted May 5, 2011 Hello, Cheers edit: PM sended to Nabeel and removed this post. Quote
TAV1702 Posted May 6, 2011 Report Posted May 6, 2011 Hi fafakan. Welcome to the forum. Please have a look at this. http://forum.phpvms.net/topic/3266-securing-directories/page__hl__%2Bsecuring+%2Bfiles Please edit your post and get rid of that link. I would just send Nabeel a quick PM instead. Anyone browsing the forums can see that and a BUNCH of sites would be gone over night. I have already got rid of the ftp info on my files. Quote
TAV1702 Posted May 6, 2011 Report Posted May 6, 2011 Thanks for editing that and thanks for pointing that out. Quote
Administrators Nabeel Posted May 6, 2011 Administrators Report Posted May 6, 2011 This would be an FSFK problem as well, anyone who has access to that URL would be able to download that config file, whether through phpvms or through the fsfk scripts I'm hoping that VA owners made a restricted username/password for, and didn't use their main FTP user/password. Quote
TAV1702 Posted May 6, 2011 Report Posted May 6, 2011 Thanks for pointing that out Nabeel. I never even thought of using a restricted account to begin with. Now we all know. Lessons learned. Quote
Moderators mark1million Posted May 6, 2011 Moderators Report Posted May 6, 2011 I dont use it as its too much of a security risk in my opinion. Quote
fafakan Posted May 6, 2011 Author Report Posted May 6, 2011 Hi, I've temporarily solved the problem. How I dıd it?; I've changed the name of the module FSFK and the required changes done in FSFK.php, fsk_xxxxxx.tpl's and profile_main.tpl. thus now the links can only be known by registered users. (no standard links more). Cheers Quote
Administrators Nabeel Posted May 6, 2011 Administrators Report Posted May 6, 2011 I've added a note in the app.config and the generated local.config noting that those should be a FTP user/pass which is used only for that and has only access to that directory Quote
fafakan Posted May 6, 2011 Author Report Posted May 6, 2011 Hi, Here is a another problem; You can send PIREP's with FS Flight Keeper (software) to the site and these PIREP's are accepted without password and/or username. Why is a username wıth a passward not required? Normally you can enter userID and password in the FS Flight Keeper (Pilot Edit) but why is it not using during send the PIREP's? Cheers Quote
Administrators Nabeel Posted May 6, 2011 Administrators Report Posted May 6, 2011 Hi, Here is a another problem; You can send PIREP's with FS Flight Keeper (software) to the site and these PIREP's are accepted without password and/or username. Why is a username wıth a passward not required? Normally you can enter userID and password in the FS Flight Keeper (Pilot Edit) but why is it not using during send the PIREP's? Cheers I elected not to do that because the usernames/passwords are transferred over plain-text. If there's a fake PIREP sent in, an admin can reject it, but if there's a snoop or something, then the username/password can't be sniffed out. Also, I believe the username and password are stored in the config - the password is encrypted, and there's no way of getting the plain-text version back, so I can't gen/add that in Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.