... | ... | @@ -2,17 +2,18 @@ This article aims at giving security hints for RosarioSIS. |
|
|
|
|
|
# PostgreSQL database
|
|
|
|
|
|
Instead of creating the RosarioSIS database with the _postgres_ user, first create a user that can login and create database. Then login with that user and create the RosarioSIS database so that the RosarioSIS user is its owner. So in case your RosarioSIS user password is discovered, the whole PostgreSQL server is not compromised.
|
|
|
Instead of creating the RosarioSIS database with the default _postgres_ user, first create a user that can login and create database. Then login with that user and create the RosarioSIS database so that the RosarioSIS user is its owner. So in case your RosarioSIS user password is discovered, the whole PostgreSQL server is not compromised.
|
|
|
|
|
|
If you have succesfully installed RosarioSIS on your production server:
|
|
|
|
|
|
Here is the list of files that contains the **version number** of RosarioSIS, if you would like to hide it:
|
|
|
Here is the list of files which contain the **version number** of RosarioSIS, in case you would like to hide it:
|
|
|
|
|
|
* [CHANGES](https://github.com/francoisjacquet/rosariosis/blob/mobile/CHANGES#L3)
|
|
|
* [CHANGES.md](https://github.com/francoisjacquet/rosariosis/blob/mobile/CHANGES.md)
|
|
|
* [COPYRIGHT](https://github.com/francoisjacquet/rosariosis/blob/mobile/COPYRIGHT#L3)
|
|
|
* [INSTALL](https://github.com/francoisjacquet/rosariosis/blob/mobile/INSTALL#L4)
|
|
|
* [WHATSNEW](https://github.com/francoisjacquet/rosariosis/blob/mobile/WHATS_NEW#L3)
|
|
|
* [Warehouse.php](https://github.com/francoisjacquet/rosariosis/blob/mobile/Warehouse.php#L6)
|
|
|
* [INSTALL.md](https://github.com/francoisjacquet/rosariosis/blob/mobile/INSTALL.md)
|
|
|
* [WHATSNEW.md](https://github.com/francoisjacquet/rosariosis/blob/mobile/WHATS_NEW.md)
|
|
|
* [Warehouse.php](https://github.com/francoisjacquet/rosariosis/blob/mobile/Warehouse.php#L18)
|
|
|
* [rosariosis.sql](https://github.com/francoisjacquet/rosariosis/blob/mobile/rosariosis.sql#L3510)
|
|
|
|
|
|
Be careful when you update RosarioSIS. If you overwrite the files, the above files will be accessible again!
|
|
|
|
... | ... | @@ -38,7 +39,7 @@ session.hash_function = sha256 |
|
|
|
|
|
Finally, and more generally, here is a good set of Apache rules to block attacks: [**5G Blacklist 2013**](http://perishablepress.com/5g-blacklist-2013/)
|
|
|
|
|
|
But you should remove this line for RosarioSIS to work:
|
|
|
However, you should remove this line for RosarioSIS to work:
|
|
|
|
|
|
``
|
|
|
RewriteCond %{QUERY_STRING} (\\|\.\./|`|=\'$|=%27$) [NC,OR]
|
... | ... | |