-----BEGIN PGP SIGNED MESSAGE----- Hash: MD5 Hello Elpidio Latorilla,
finally :-) great done. Congratulations. I have long be waiting for such a tool. you wrote: EL> I am proud to announce the availability of a real Plugins System for Care2x EL> with working plugin packages for download. Some little adminstration tips. Prepare your webserver apache. Open a terminal. # vi /etc/httpd/httpd.conf include into httpd.conf the following line: Include /etc/httpd/httpd.care2x.conf Save it. # vi /etc/httpd/httpd.care2x.conf # # This is the default file for the care2xhosts directive in httpd.conf. # It is processed after httpd.conf # # To avoid confusion, it is recommended that you put all of your # Apache server directives (with care2x) into this file and leave this # one essentially empty. # <Directory "/srv/www/htdocs/care2x/html"> Options -Indexes +FollowSymLinks +Includes DirectoryIndex index.php php_admin_value open_basedir /srv/www/htdocs/care2x/html:/srv/www/htdocs/care2x/ php_admin_flag safe_mode Off </Directory> <Directory "/srv/www/htdocs/care3x/html"> Options -Indexes +FollowSymLinks +Includes DirectoryIndex index.php php_admin_value open_basedir /srv/www/htdocs/care3x/html:/srv/www/htdocs/care3x/ php_admin_flag safe_mode Off </Directory> Save the file and don't forget to restart your webserver. Why to do this? You can download with wget the necessary files in your /temp folder and extract them to your htdocs folder. Inside the html folder is nothing. Give the config files a secret place. Only place here symbolic links in a concept you need. Exclude ftp upload for the html folders of your care2x web. Check with chown and chmod the rights. The rest you can do with bind. Download the plugins somewhere /usr/local/ will be a good place. Do the same with symbolic links and point them to the right place. Elpidio suggests to try packaging with sqirrelmail. I don't think its a realy good idea to do it in real live environments. 24.May.2004 http://www.securityfocus.com/archive/1/363997/2004-05-18/2004-05-24/0 The bugtraq security list is full of announcements. Some info for german readers: http://www.heise.de/newsticker/meldung/43203 This plugin concept seem very similar to the phpnuke/postnuke module concept. But realy i didn't proof it, because i am not a programer. In my eyes i see if i google 30000 findings. This say to me be careful. http://www.securityfocus.com/bid/6465/info/ - From denial of sorvice attacks to the possibility to bring malware inside. Mostly its known that scriptkiddies use rootexploids and take over the server. Anyways to use the new plugin concept in that way seems to me a high risk. Not because of the Care2x allone. See this info about care2x from 2002: http://seclists.org/lists/bugtraq/2002/Jul/0128.html But the advance at the other side is high: You can use it if you have a good security concept as well a risk management and maybe a good sysadmin. Lots of work for consultants :-) With symbolic links you have a much higher security. Updates a easy walk. Download new versions and set easy some symbolic links. Ready. Up and downgrades are done in 2 minutes. And you can use nearly every application as plugin, because you are realy independent from the pluginfolder. Ahhh don't close the eyes and say we are doing it in an intranet. - -- regards Wilfried Goedert mailto:[EMAIL PROTECTED] -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUAQLtiKrDOY8Ksl5PhAQG2IwP7B87TQ2C+oLmhT9DN3U0EzYq4QiTH7WKd l/CgFEl6jXqBaqceHEgPii9euXbTHvQXEy6JjlYz5dSaCTWeyu760O3u3YZzhrO+ Mdn3Uk9Rj8AQfGtqms6WBSfDlHFi2UZUNRgLV/HRhn2mFGQmDsObac+O8distwqv 324ozoRnhKI= =HsW9 -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click _______________________________________________ Care2002-developers mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/care2002-developers
