|Rationale||FAQ||Dev site||PHP version||Install||Security||Customization||Demo||Distributed Application|
PageBox for PHP security|
PageBox for PHP is quite powerful and therefore requires proper security measures.
In this document we focus on the security in Apache and BadBlue environments.
PageBox doesn’t really change the picture: If your server pages have unrestricted access to the server resources and if someone finds the way to add or modify a server page, then the security of the server is compromised.
PageBox for PHP triggers commands to install and remove presentations.
These commands are specified in inflate.pb and delete.pb.
As a bare minimum, define inflate.pb, delete.pb and the commands that you can distribute in Read-Only mode.
You can also enforce the security measures described in the PHP and Apache documentation.
If you try using PageBox on an ISP/ASP your inflate and delete commands will probably not work because your ISP has configured PHP in Safe Mode.
From the PHP documentation:
"Safe Mode is an attempt to solve the shared-server security problem. It is architecturally incorrect to try to solve this problem at the PHP level, but since the alternatives at the web server and OS levels aren’t very realistic, many people, especially ISP’s, use Safe Mode for now."
First check if Safe Mode is set with environment.php:
Many functions are restricted or disabled by safe mode. Look in the PHP documentation for their list.
If PHP is used in safe mode, exec() and the other functions executing system programs refuse to start programs that are not in safe_mode_exec_dir .
Therefore you must copy the programs used by inflate.pb and delete.pb in safe_mode_exec_dir.
On Windows, you need %SYSTEMROOT%\system32\cmd.exe to run batch files.
With Apache you need to update conf/httpd.conf.
Assuming that you installed the Pagebox repository on D:/Program Files/Apache Group/Apache/htdocs/repository you can use that definition:
You create and populate D:/Program Files/Apache Group/Apache/PageBox-users.ht with the htpasswd command, for instance:
Then you create D:/Program Files/Apache Group/Apache/PageBox-groups.ht:
Thank to the Require group PageBox statement, only users belonging to PageBox group, admin publisher1 publisher2 subscriber1 subscriber2 are allowed to query repository resources.
Restart Apache. Now when you query publisher.php, subscriber.php or admin.php you are displayed this dialog box:
Enter a valid user and password belonging to PageBox group.
Use the BadBlue Web administration. Assuming that you installed BadBlue on your machine and set the port at 1080, enter the URL http://localhost:1080/. You should get this:
Select Advanced Web server functions | Define user to create the users.
Then select Advanced Web server functions | Control Access and select the repository virtual directory:
Now when you try to access a repository page you are displayed the same login panel as above. Enter a valid user name and password.
Only users defined in users.rep can publish presentations.
Only the user defined in adminUser.rep can administrate and display the audit log.
Configure adminUser.rep and users.rep as described in the customization guide.
Without encryption the user and password are send on the wire in clear text.