security FW site acces denied for Resourses and so on.

Every FW site has a directory called Resources usually to be found on root. It is fairly easy to acces it by typing in: website/Resources.
Not only this directory, but all other folders created by Actions are reachable.

Why does not Softpress build in a file index.html with this content in Resourses and all Action folders in order to prohibit access?
Or is it just me that thinks it is a potential security risk to have folders open?

<html>
<head>
<title>403 Forbidden</title>
</head>
<body>
<p>Directory access is forbidden.</p>
</body>
</html>

freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

I wouldn’t say it is a security risk although if you have content in these directories that you want to limit access to (PDFs, music etc) then denying directory access is always a good idea.
One of the features I added to the Image Guardian Action (http://d.pr/RM4T) was to automatically add a similar index file to the current Resources folder for the page so that you can’t easily locate and download content this way.
Personally I would suggest limiting access using an htaccess file as it is usually both quick and easy to do either manually or via your cPanel.
Regards,
Tim.

On 3 May 2013, at 12:38, atelier wrote:

Why does not Softpress build in a file index.html with this content in Resourses and all Action folders in order to prohibit access?
Or is it just me that thinks it is a potential security risk to have folders open?


FreewayActions.com - Freeware and commercial Actions for Freeway Express & Pro - http://www.freewayactions.com


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Personally… as a matter of course I would advise you to add an index.html file to any directory on your hosting account that does not already have one (index.html, index.htm or index.php), directories like php, css, js etc. etc. I generally create a generic one that I use site wide and copy to any new sites I have that sends the browser to the domain and so loads the default home page. I have always looked at this as why would someone want to see whats there? so it keeps prying eyes out of places they shouldn’t really be :wink:

On May 3, 2013, at 1:38 PM, atelier wrote:

Every FW site has a directory called Resources usually to be found on root. It is fairly easy to acces it by typing in: website/Resources.
Not only this directory, but all other folders created by Actions are reachable.

Why does not Softpress build in a file index.html with this content in Resourses and all Action folders in order to prohibit access?
Or is it just me that thinks it is a potential security risk to have folders open?

<html>
<head>
<title>403 Forbidden</title>
</head>
<body>
<p>Directory access is forbidden.</p>
</body>
</html>

freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Personally I would suggest limiting access using an htaccess >file as it is usually both quick and easy to do either manually >or via your cPanel. Regards, Tim.

Some hosters do not let you do htaccess unfortunately. But you are right, absolutely the best solution.


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Ok, after I told the support agent what I thought of his support ‘in a nice way’ he has finally responded with some interest in the questions I asked him rather than the stupid robotic replies that had no reference to my questions, so…

  1. Yes GoDaddy allow 3rd party scripts for sending contacvt forms to be used on their hosting accounts.
  2. Yes GoDaddy allow the use of the coding that easiForm uses to send emails.
  3. Yes they definatley support ioncube on their Linux hosting accounts.

So this means that nothing has changed and your easiForms using the CAPTCHA is permitted, just a case now of your support request to find out why the php5.ini file on your server does not activate ioncube.

Regards,
Mike

On May 3, 2013, at 6:13 PM, atelier wrote:

Personally I would suggest limiting access using an htaccess >file as it is usually both quick and easy to do either manually >or via your cPanel. Regards, Tim.

Some hosters do not let you do htaccess unfortunately. But you are right, absolutely the best solution.


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Sorry, not sure how this ended up going here :wink:

On May 3, 2013, at 7:25 PM, Mike B wrote:

Ok, after I told the support agent what I thought of his support ‘in a nice way’ he has finally responded with some interest in the questions I asked him rather than the stupid robotic replies that had no reference to my questions, so…

  1. Yes GoDaddy allow 3rd party scripts for sending contacvt forms to be used on their hosting accounts.
  2. Yes GoDaddy allow the use of the coding that easiForm uses to send emails.
  3. Yes they definatley support ioncube on their Linux hosting accounts.

So this means that nothing has changed and your easiForms using the CAPTCHA is permitted, just a case now of your support request to find out why the php5.ini file on your server does not activate ioncube.

Regards,
Mike

On May 3, 2013, at 6:13 PM, atelier wrote:

Personally I would suggest limiting access using an htaccess >file as it is usually both quick and easy to do either manually >or via your cPanel. Regards, Tim.

Some hosters do not let you do htaccess unfortunately. But you are right, absolutely the best solution.


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Not only this directory, but all other folders created by Actions are reachable.

On my servers - and on most industry standard linux/unix servers there is a feature called Index Manager

The Index Manager allows you to customize the way a directory will be viewed on the web. You can select between a default style, no indexes, or two types of indexing. If you do not wish for people to be able to see the files in your directory, choose “No Indexing”.

So a simple setting will determine whether or not visitors can see the contents of your Directories.

My default is No Indexing. I would encourage others to do the same.

David


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

This is useful knowledge. Thank you very much.


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options