Shulou(Shulou.com)06/02 Report--

This article will explain in detail the method of using dream weaving to build a website to prevent from hanging horses. The editor thinks it is very practical, so I share it with you for reference. I hope you can get something after reading this article.

As one of the most widely used and most widely used CMS in China, DedeCms often exposes loopholes. The impact of each loophole is a large area. If it is light, it will be advertised and popped up, or the server will become a meat machine, and valuable data will be lost. So is there any way to improve the security of DedeCms?

Let's take a look at the reason. Why PHP programs often have vulnerabilities is actually determined by the PHP program itself.

The low reusability of PHP leads to complex program structure and redundant code everywhere, which is not only conducive to the generation of vulnerabilities, but also affects the repair of vulnerabilities.

PHP programs are simple to start and generally open source, so many people can read the code directly and search for vulnerabilities. In this way, a steady stream of vulnerabilities are discovered, fixed, and discovered.

At present, the popular PHP system is used to use the file form as cache, so it needs to open the write permission of the file, which undoubtedly becomes the weakness of the PHP system.

At present, in addition to the rare "injection" attacks, most of the attacks against PHP systems are obtained by inserting a sentence Trojan horse into the writable file through a loophole in the system.

Website security has always been the cooperation of server configuration, file permission control and website program. Today, we mainly look at the improvement of DedeCms website program to improve security. "executable files are not allowed to be modified, writable files are not allowed to be accessed." this is the fundamental principle of website permission control. Website programs can do a lot of work in "writable files are not allowed to be accessed".

Take DedeCMS, for example, we can protect it in the following ways.

1. Rename the data directory under the root directory, or move it outside the website directory

Data directory is the most dirty place, the system often has to write data to this directory, any file under this directory can be accessed through URL, so in order to make the browser can not access the files inside, you need to rename this directory or move outside the website directory. These, even if others wrote a word Trojan into the file through the loophole, he could not find the file path where the Trojan was located and could not continue to attack. Because the DedeCMS program is unreasonable, the action of renaming the data directory will be relatively large, as follows:

a. Migrate the exposed content to a pub directory (or other custom directories), such as rss, sitemap, js, enum, etc. This step requires moving folders and modifying the generation path of these files

b. Modify the referenced program directory

Search and replace "DEDEDATA." / data/ "with" DEDEDATA. "/", about 50 or 60 places

Search and replace "DEDEDATA.'/data/" with "DEDEDATA.'/", about 50 or 60 places

Search for "/ data/", and change the path as follows: "$DEDEDATA." / "(note that both the include directory and the background management directory have data folders, which do not need to be modified)

c. Modify the name of the data folder, modify the value of "DEDEDATA" in the include/common.inc.php file, and then modify the template cache directory in the background system Settings parameter settings. You can also follow this procedure to change the name of the data folder later.

2. Rename the "dede" management directory and strengthen it.

If you hide the background, even if someone else gets your administrator account and password, he will not be able to log in.

In / dede/config.php, find the following line:

The following is the referenced content:

/ / verify the login status of users $cuserLogin = new userLogin (); if ($cuserLogin- > getUserID () =-1) {header ("location:login.php?gotopage=" .urlencode ($dedeNowurl));} this is the end of the method of using dream weaving website to prevent hanging horses. I hope the above content can be helpful to you and learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.