We build. You grow.

Get best community software here

Start a social network, a fan-site, an education project with oxwall - free opensource community software

imposible to read sent attachments via a chat | Forum

Martin Baso
Martin Baso Apr 18 '15
My host provider recomended to apply 755 to folder and 644 to files. I did it and it did not help.

Also I was forced to disable "Options +FollowSymLinks" in htaccess file to make the instalaltion happen.
dave Leader
dave Apr 18 '15
have you emailed a copy of the requirements to your host to make sure your server meets the requirements, it sounds like it needs to be tweeked a bit. 

http://www.oxwall.org/hosting   right side of page


dave Leader
dave Apr 18 '15
i looked at your file....   are you using XAMPP
Martin Baso
Martin Baso Apr 18 '15
Finally I found the problem. Under the /public_html/demonetwork/ow_includes I neede to modify htaccess as follows:

#Options All -Indexes ( before without # ).
#php_flag engine off

My host does not support Options All -Indexes.

However than I see another issue. It means that the the folder content of  /public_html/demonetwork/ow_userfiles is accessible to anobody from outside.  I can see it based on the .htaccess file.

Inside /public_html/demonetwork/ow_userfiles are many other folders and I do not think it is all right to have their content exposed to the outside world.
dave Leader
dave Apr 18 '15
are you sure your mod_rewrite is on and functioning?    Disabling htaccess in any way is not the answer
dave Leader
dave Apr 18 '15
you may want to have a look at this  http://stackoverflow.com/...ons-not-allowed-here
Martin Baso
Martin Baso Apr 18 '15
mod_rewrite is on and functioning. At least i know it because before I had the same problem with ELGG which I left due to many issue. I have chosen Oxwall due to much better functionality and rich features.

I do not want to disable the htaccess in ow userfiles but this is a possible security hole. Imagine somebody who had opened his attachment, then he left PC and a following person can access his attachment through a browser history....this is more then risky. An owner of such webpage/social network can get into big troubles due to a law regarding personal / privacy information protection. Is there any plan how to fix it? At least in EU US or Canada this can be very dangerous and can lead to a company ( which runs / owns the socal network ) close down and prosecutions. I think developers should be aware about this danger and consider to change their approach. I do not want to criticise but there is a lot of legal aspects that should be considered.

Maybe I should raise this topic separatelly.....
dave Leader
dave Apr 18 '15
lets see what the team says about this!  
Martin Baso
Martin Baso Apr 18 '15
thank you. Once resolved it may open potentially wider use in general and Oxwall can gain a larger market share than before I hope :) Please let me know if more update is available.

Many thanks

Martin
dave Leader
dave Apr 18 '15
Team this one is for you :) please advise thanks 
Martin Baso
Martin Baso Apr 18 '15
One more oints, maybe I am wrong. "bad" bots/robots can possibly crawl these directories and all content can be extracted to the other world. robot.txt does not work 100% as I learnt from other sources....So it is not just a forgotten undeleted browser history what could be problematic....

Martin Baso
Martin Baso Apr 18 '15
I have have seen that ELGG resolved this issue by placing "users content directory" outside /public_htlm. So that is accessed only by loged users I think.....

Anyway thank you for paying attention to this issue :)
Martin Baso
Martin Baso Apr 18 '15
What about to create a subfolder for each registered member which would contain .htaccess that allows the an access only to that one particular user? And if is there any need to share certain files ( pics, music....etc ) among multiple memebers or even public, then to create addtional subfolders to with htaccess thar allows either multiple users or everybody ( public ).

Such multiple htaccess files woudl need be automatically generated based on the user´s privacy settings.

 I am not an IT engineer ( my domain is electronics ) so it could be entirely wrong what I write here.....
ross Team
ross Apr 20 '15
Martin, if you mean the content of the userfiles folder like if you entered the link to the jpeg file in this folder and you can see it, then there's no such a feature in the default software check the reply here: http://www.oxwall.org/forum/topic/23221?page=1#post-106012


As to this one: 

Quote from Martin Baso One more oints, maybe I am wrong. "bad" bots/robots can possibly crawl these directories and all content can be extracted to the other world. robot.txt does not work 100% as I learnt from other sources....So it is not just a forgotten undeleted browser history what could be problematic....


check this link 
http://stackoverflow.com/questions/10735766/block-all-bots-crawlers-spiders-for-a-special-directory-with-htaccess

Pages: « 1 2