Dokeos lead developer’s Weblog

There is a common problem appearing when installing a new Dokeos portal that I have seen a lot recently, so I thought I’d share the details here.

The problem

When installing Dokeos on a cPanel-kind-of-hosting, it might happen that you complete the installation, but when you want to enter a newly-created course, an ugly error appears. Something of the likes of:

Internal Server Error

or, if you are lucky

/…/courses/COURSECODE/index.php cannot be displayed because it is writable by the group.

Either way, those two error message precisely when the URL of your browser shows http://your-domain-name/courses/YOURCOURSECODE/index.php mean that you have a “secured” version of Linux.

This implies that for any PHP script that you want to execute, this message will appear if the script is writable by any other user than the owner of the file.

In a cPanel system, you will see that this file (and possibly the directory it’s in) have write permissions for the group.

The permissions syntax

I’m reviewing basic stuff here, so if you know about UNIX permissions, just skip to the next section.

This is represented by the permissions indicator

-rwxrwxr–

which can be translated as: the owner can read, write and execute this script, the owner *group* can read, write and execute this script, and all other users can read the script, but not write or execute it.

The write permission gives you the right to edit the file, but you need a write permission on the containing *folder* to actually create or remove this file.

Anyway, so the risk is that, by letting too many people access this script, it could be used (and modified) by a cracker (an evil hacker) to execute his code instead of yours on your server.

Fixing the problem now on the server

Now the quick fix is to read carefully the error message and change the permissions accordingly. The server tells us that this script cannot be opened because it is writable by the group. So all we need to do is remove the write permission on this file. Just click on whatever option allows you to change the permissions on that cPanel and remove the write permission for the group.

This should result in your file’s new permissions to look like this:

-rwxr–r–

If the server bothers you with write permissions about the directory, you need to set the directory’s permissions to

- rwxr-xr-x

Execution permissions are needed to read inside this directory (and get to index.php).

This should solve your problem for this course. Now you want to avoid doing that for all courses to come, don’t you? Read on…

Fixing the problem for the future from inside Dokeos

Since Dokeos 1.8.4 (or was it a little before?), we added some settings inside the database that lets you mention what type of permissions you want new files and directories to use. Well, this is precisely one case for which we did that.

You want to head towards your “Portal Administration” tab, “Platform” section, “Dokeos configuration settings” link, then “Security”, then the “Permissions for new directories” and “Permissions for new files” settings. By default, these are set to 0777 and 0666. Considering you want the groups not to have write permissions, and considering 0777 is representing rwxrwxrwx and 0666 is representing rw-rw-rw-, you just want to change these to 0555 and 0444 respectively.

That’s it, you can now create a new course without having to worry about files permissions!

It might seem kind of weird to mention it, but I had somewhat of a big scare when Secunia sent us an e-mail entitled “Security Patches in Dokeos 1.8.5″. If my fears had been right, it would have meant that we would have needed to re-package 1.8.5 only two days after the official release. Not something I would have liked to do…

However, it was just a basic “request for information” e-mail asking what security improvements had been added to Dokeos 1.8.5 as we mentioned so in our changelog.

The answer is that we integrated Dokeos 1.8.4 SP1, SP2 and SP3, as well as improved input filtering all over (more than anything in the survey and forum tools).

So we still have a robust 1.8.5, which makes me very happy.

Please note that this patch has been integrated in Dokeos 1.8.5, released on the 12th of June 2008, and that there is also a Dokeos 1.8.4 SP3 patch available on the security page indicated below.

There’s a new security patch out there for you if you have a Dokeos 1.8.4 portal (if you have below that, I recommend you upgrade to 1.8.4).

As stated on my “Dokeos 1.8.5″ page, the release has been delayed a bit more in a hope to provide a few additional and essential features to this version (notably, and extended system of templates for exercises, that will allow for rapid exercises building of many types).

So, because of that additional delay and because these vulnerabilities were found by a Russian team in our code, I felt it was essential to provide a clean patch. You can find all the info you need on our public wiki: http://www.dokeos.com/wiki/index.php/Security

As I was trying to provide this patch first to our registered users, I suddendly remembered we had a problem with the automatic-registration script, which ensures that everyone wanting to have his/her portal registered on this page could actually do that from the administration panel of Dokeos and get the administrator’s e-mail sent to us (and very short info on the portal url, number of courses and number of users) so we could send them the security updates.

As this script was broken, and as I realized it had been for quite some time (a few months), I spent most of my week-end free-time fixing and improving it. Although it doesn’t assign the country correctly just yet (which I’m going to fix as soon as I manage to install GeoIP on our server), it’s pretty much working now, and we already logged about 100 new portals since Monday morning, which makes us quite happy (the number had frozen at about 1600 campuses in May last year, and the newly registered campuses were registered in another database, so in the end we are now well over 2400 campuses all together).

It’s already in the code for Dokeos 1.8.5 since 2 weeks ago: files extensions filtering. It was possible, in 1.8.4, to filter files extensions coming from ZIP files, but I didn’t have time back then to include a widespread file filtering. It is included now.

There is still a problem whereby Windows interprets files looking inside them, so it does not need the extension to be wrong in order to execute the file as is needed for a virus to spread. This is not yet filtered in Dokeos, so we are looking into integrating an (old) extension called “virusscanner” on our extensions page so that we cover that point as well. That extension connects to the ClamAV database to check the uploaded file for any trace of virus.

The problem with all that is still that some human minds prefer self interest to common interest, and take time to spread their viruses all around so we have to spend time fighting them. Humans vs humans is a tougher battle than machine vs machine.

I don’t know why exactly, maybe it’s because some system administrators go on holiday, or maybe it’s because evil students (understand young crackers) are on holiday themselves, but the festive season is always a time when we have more attempted security attacks on our servers.

Oh, by the way, hackers are just people looking into the code to change it, they’re not evil. Crackers are people getting onto other’s systems and trying to misuse it. They’re evil.

This week, two security problems were reported “in” Dokeos [1] [2]. We finally realized that number one was a very old Dokeos installation where the recommended configuration settings (magic_quotes on) had been ignored, making the system vulnerable to SQL injection, and that the second one was also due to some kind of weird feature added to the default web server config to allow the uncompression and execution of an uploaded rar file.

Yeah, that’s right… Dokeos doesn’t handle rar files uncompressing, so basically you have to send a .rar file containing PHP files on web server, and if you’re lucky enough that the system administrators of that server are completely missing the point of security, *then* you can execute the contents of the .rar file by calling it from a web browser.

No need to say that we don’t have that *special feature* activated at Dokeos’ company, so our customers are safe regarding this one.