Now i have this post correct and tested 4.22.2010
My notes as we were testing. I am posting this information so that all has the knowledge. this is not provided to create strife, but to protect my fellow community members from becoming victims.
Softaculous Auto-Installer and Dolphin
what was discovered after my initial post was negated.
I am testing on Arvixe since they seem to get the most publicity on here.
We are testing on two different servers from Arvixe
cobra and shark, the installs builds appear to be the same from a glance at the php.ini from admin panels host tools.
What discovered, shark will install Dolphin, and it does creat the cron jobs. Cobra will install dolphin, but no cron jobs are created.
Neither of these server builds are suPHP or suExec, they both appear to be CGI builds.
Now we get into the file permissions that we all know are vital to a secure environment.
Both Cobra and Shark are installed with directories being permed as 777, not all directories, just some:
backup - 777
cache - 777
cache_public - 777
langs - 777
tmp - 777
/backup/.htaccess - 777
/cache/.htaccess - 777
/cache/all files 666
cache_public/all files 666
/flash/modules/board/files - 777
/flash/modules/board/xml/config.xml - 777
/flash/modules/board/xml/langs.xml - 777
/flash/modules/board/xml/skins.xml - 777
/flash/modules/board/xml/main.xml - 666
/flash/modules/chat/xml/config.xml - 777
/flash/modules/chat/xml/langs.xml - 777
/flash/modules/chat/xml/skins.xml - 777
/flash/modules/chat/xml/main.xml - 666
/flash/modules/desktop/xml/config.xml - 777
/flash/modules/desktop/xml/langs.xml - 777
/flash/modules/desktop/xml/skins.xml - 777
/flash/modules/desktop/xml/main.xml - 666
/langs/.htaccess - 777 hackable known security risk
/langs/lang-en.php - 666 hackable
/media/app - 777
/media/images - 777
/media/images/banners - 777
/media/images/blog - 777
/media/images/classifieds - 777
/media/images/flags - 777
/media/images/membership - 777
/media/images/profile - 777
/media/images/profile-bg - 777
/media/images/promo - 777
/media/images/smiles - 777
/media/images/.htaccess - 777 perfect eh?
/media/images/all files - 777
/media/images/banners/.htaccess - 777
/media/images/blog/.htaccess - 777
/media/images/flags/.htaccess - 777
/media/images/flags/all files - 777
/media/images/membership all files - 777
/media/images/profiles/.htaccess - 777
/media/images/profiles/all files - 777
/media/images/profile-bg/.htaccess - 777
/media/images/promo/original - 777
/media/images/promo/ all files - 777
/media/images/smiles/default - 777
/media/images/smiles/default/.htaccess - 777
/media/images/smiles/default/all files - 777
/media/images/smiles/sample - 777
/media/images/smiles/sample/.htaccess - 777
/media/images/smiles/sample/all files - 777
/inc/prof.inc.php - 777
Now with all of these files being set to 777 i would suggest this is a huge security risk.
but what we found further, will shock the best of us. not only does softaculous wreck up the file permissions for dolphin, basically every script it installs, it sets 777 perms to some directories, we tested with wordpress, because that is the quickest to install, and also they have the best security that i know of.
at any rate, hope this investigation and our time was well spent.
Summary:
My initial post still stands, file perms are way wacked, cron jobs are not created on every Server.
Regards,
DosDawg
Files with incorrect Perms per your post:
All the .htaccess files, these should be 0644 and not 0777 (I'm assuming that's a 0777 and not a 7770 on the perms) That would be fun wouldn't it.
All the flash/modules/...xml files should be 0666 if I recall correctly. Can't 0777 a file unless it's an ffmpeg.exe if I'm correct, or at least one shouldn't.
Why the issue with langs/lang-en.php see more
Now, can someone who knows more than me PLEASE explain how Wordpress can write to a 755 dir and update a 644 file and Dolphin can't on the SAME server?? Is it because Wordpress creates those files and directories itself instead of ftping them?
\\
Regards,
DosDawg
Is that a problem?
hey fella, this was not posted to waste your time, but it was posted so that the community can know that there are issues. i am not reporting this to Softaculous, because it has been reported to softaculous previously, and unheeded. this puts new members of our community at risk, and this should not be held secret because the sales are a affiliate medium.
I continuously test every faction of this so that i have the safest environment to host this product on, regardless of what level see more
i was contacted by the lead developer from softaculous, and all things were set straight. there was some miscommunication as deemed. however, the posts i have set on here were 100% correct. there have been patches released from the time of my post so if your hosting environment offers dolphin from the softaculous auto-installer, please make sure they have updates turned on, because they are needed.
Regards,
DosDawg