News:

Support the VirtueMart project and become a member

Main Menu

What's so safe about safe path?

Started by jeanmarat, July 07, 2012, 10:02:40 AM

Previous topic - Next topic

jeanmarat

So there is the known option of making a 'safe path' so as to save your invoices and files you want to upload and sell.

But what so safe about it ?

The directory can be accessed via URL . One just has to type yourdomain/name_of_safe_path_directory
and he has full access of the files and invoices with an index.

One might argue well how will he know the name of the path ?

If he doesn't know the name of the path the only thing he has to do is download this shareware http://www.httrack.com/
he just inserts the url and the thing will did it all by itself. It will download all folders including the SAFE PATH directory and its contents.

No need to guess the name or try the default vmfiles that Virtuemart provides.

So there is a  certain amount of insecurity when it comes with the safe path.

I know from other CMS (like drupal) that it takes 2 sets of .htaccess files to block access via URL and HTTrack seems unable to download the files from the directory where you upload 'sensitive' files.

So what is the solution ?

What are the .htaccess files i need to insert and where to achieve a certain amount of safety in my safe path in Virtuemart ?

Thank you in advance.

Milbo

Seems you completly do not understand the system, it is called safe PATH, because you can set a PATH and not an URL and this path can be somewhere on your server.

Please read the FAQ first http://forum.virtuemart.net/index.php?topic=98633.0
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

jeanmarat

#2
First of all there is no need to be defensive or upset.

So it's just a path for a directory in your server. That doesn't mean it can't be accessed by  an url.

e.g. lets say i give a path like home/user/public_html/wgettyty/

That in no way means that the directory called wgettyty isn't accessible if i just type

www.mydomain.com/wgettyty/

and in no way does it mean that if someone uses HtTracker and just inserts www.mydomain.com that it won't download the wgettyty directory in question.

What I really want to know is this :

Let's say I want to set up a virtuemart and sell downloadable files with the PAID extension Plug-in Virtual products.

It seems obvious that I want my files that are to be sold , to not be downloadable if one does not pay first and uses another technique. It seems there are 2 ways he can do that without paying a.just typing the url for the safe path b.using software like HtTracker to download all files in your server.

Is there a security fix for that ?



Thank you for your quick response.

jeanmarat

It seems if i change my folder to 750 permissions from 755 there no access but there is access from only my email.

Is that the solution ?

seyi

Your safe path is supposed to be outside your website root. So something like
home/user/wgettyty
no bots can scan that.
Seyi A
--------------------
Promotion enhancement for Virtuemart:
   - AwoCoupon FREE - http://www.awocoupon.com/starter
   - AwoCoupon Pro - http://awodev.com/products/joomla/awocoupon
   - AwoRewards - http://awodev.com/products/joomla/aworewards
   - AwoAffiliate - http://awodev.com/products/joomla/awoaffiliate

muurman

Hi,

i have webspace at one.com

i don't have the possibility to create a safe path outside the public section.

i can make the directory more secure by using a different name . But this is just a bit more secure.

can i change the security on the directory to 751 for example?