PHP security description DedeCms security reinforcement

Source: canbeing

As one of the most widely used CMS in China, DedeCms often exposes vulnerabilities. The impact of each vulnerability is a large piece, which is easily caused by advertisements and pop-up boxes, the server becomes a bot and valuable data is lost. So how can we improve the security of DedeCms?

Let's take a look at the reason. Why PHP programs often have vulnerabilities is actually determined by the PHP program itself. PHP has low reusability, resulting in complicated program structures and redundant code everywhere. This not only facilitates the creation of vulnerabilities, but also affects the fixing of vulnerabilities. PHP is simple and widely open-source, as a result, many people can directly read the code and search for vulnerabilities. In this way, a steady stream of vulnerabilities are discovered, fixed, and discovered ....... The popular PHP system is used as a cache in the form of files, which requires the permission to write files, which is undoubtedly a weakness of the PHP system. Currently, in addition to the few injection attacks against PHP systems, most of these attacks use a system vulnerability to insert a Trojan into a writable file, obtain the shell in this way.

Website security has always been the combination of server configuration, File Permission control, and website programs. Today, we mainly look at improving the security of DedeCms website programs. "Executable files cannot be modified, but writable files cannot be accessed." This is the fundamental principle of website permission control, website programs can do a lot of work in "writable files are not allowed to be accessed. Taking DedeCMS as an example, we can do a good job of protection in the following ways.

1. Rename the data directory under the root directory or move it out of the website directory.

The data directory is the most filthy place. The system often needs to write data to this directory. Any file in this directory can be accessed through a URL, therefore, to make the browser unable to access the files, you need to rename the directory or move it out of the directory of the website. Even if someone writes a Trojan into the file through the vulnerability, he cannot find the path of the Trojan and cannot continue the attack. Because the DedeCMS program is unreasonable, the operation of renaming the data directory will be relatively large. The specific procedure is as follows:

A. migrate public content to the pub directory (or another custom directory), such as rss, sitemap, js, and enum. In this step, you need to move the folder and modify the file generation path.

B. Modify the directory of the referenced Program

Search and replace "DEDEDATA."/data/"with" DEDEDATA. "/", and replace about 50 or 60 places;

Replace "DEDEDATA."/data/"with" DEDEDATA. "/" for search, and replace about 50 or 60 places;

Search for "/data/". Modify the path as follows: "$ dedata. "/" (note that both the include directory and the background management Directory have data folders, which do not need to be modified );

C. modify the data folder name and include/common. inc. modify the value of "DEDEDATA" in the PHP file, and then modify the template cache directory in the background system Settings> parameter settings. You can also follow this step to change the data folder name.

2. Change the name of the "dede" Management directory and reinforce it.

If you hide the background, you will not be able to log on even if someone else has obtained your administrator account and password.

A. in/dede/config. php, find the following line:

1 // check the user logon status
2 $ cuserLogin = new userLogin ();
3if ($ cuserLogin-> getUserID () =-1)
4 {
5 header ("location: login. php? Gotopage = ". urlencode ($ dedeNowurl ));
6}

Change the code above:

1 // check the user logon status
2 $ cuserLogin = new userLogin ();
3if ($ cuserLogin-> getUserID () =-1)
4 {
5 // header ("location: login. php? Gotopage = ". urlencode ($ dedeNowurl ));
6 header ("HTTP/1.0 404 Not Found ");
7 exit ();
8}

B. Modify the file name of/dede/login. php and modify the form submission address in/dede/templets/login.htm;

C. Modify the directory name of/dede;

In this way, you can only access the address after/dede/login. php is renamed before you log on. The 404 error is returned when you access other addresses.

Of course, after security reinforcement, the upgrade of DedeCMS will be troublesome in the future.