I've looked at a bunch of CMS(content management system)'s lately. There
are some good ones, and I like the directions they're going.

nadmin studio has the most incredible admin front end for midgard that
you would believe. It's at: http://cmsdemo.hklc.com just type in demo
for each of the blocks and leave everything else the same. WOW, GOOD

As far as I know, midgard has to be installed as an apache mod. This
gives it the power to run php scripts written by end users who are part
of a site, YET, be subject to permissions by the midgard package, kind
of like a cgi wrapper around the file system AND the database contents
as well.

A lot of ISP's don't want to mess with their current installed Apache
server, and who can blame them? I'm not sure if midgard can be a shared
object or not?

Anyway, stuff like PHPNuke, and maybe PostNuke just install in the
html/doc root, make everything basically 777(or close to that), and get
protection from inadvertent serving of xxx.inc files which have
passwords in them with '.htaccess' files containing 'deny all'. It
works, BUT ......


FINALLY, my question. If some newbie sysadmin at a shared ISP
accidentally turned off the php engine AND turned off the user being
able to use .htaccess files, all the files in the html/doc root could be
served, unprocessed, right? BIG SECURITY problem, huh? 

I have heard that it's better to put everything OUT of the doc root to
avoid this, or at least, anything with passwords and important
parameters. Is there any circumstance where Apache could server outside
of the doc root?
Joy is just a thing (to be).. raised on,
Love is just the way to Live and Die,
                        John Denver.
He lost a friend, but kept his Memory (also John Denver),
                        Thank you...John Corones...my friend always.
Look lovingly upon the present,
for it holds the only things that are forever true.
                                Sincerely, Dennis Gearon (Kegley)

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to