Myself with my Project Manager Marc, we have setup a social community platform, and we would appreciate very much, if you could give us a review for anything you think is important for us to improve.

It may be viewed here: Search Editors Community / Published News

Thanks in advance for your kind support.

John

__________________
"Being an expert isn't telling other people what you know. It's understanding what questions to ask, and flexibly applying your knowledge to the specific situation at hand. Being an expert means providing sensible, highly contextual direction." Jeff Atwood
SEO Workers - Search Engine Optimization Consulting Company | SEO Analysis Tool | Webnauts Net SEO

I am honored in being able to review your site.
I did see a few things that I was surprised to see.
I would like to start out by saying that it is an excellent blog / supportive site for your main site. Good / very useful content, well organized, but:

1. While viewing your source code I was surprised to see the amount of white space / empty lines. I was anticipating cleaner coding with better grouping of code.

2. Your description and keywords need to be completed.

3. While looking through your robots.txt file, I also tested for directory indexing and found it possible. One of the ones I tested was http://www.searcheditors.com/templates/

4. I have seen your favicon used on a different page. It may have been one of your pages, but I am not sure. Just something to think about if you want to use it as a favicon for your site.

5. On your 404 page, where you have "Pretty sure it's a website bug? Please let us know and we'll try to get it fixed." I would have added a link to a web form so people could let you know.

__________________
The Sensual Touch Lingerie | High Heels | High Heel Blog

DON'T TELL ME HOW MANY CHARACTERS MY PASSWORD NEEDS.

My password is my password and if I want to use 3 letters, then please let me do so.

__________________
Dave Barnes
+1.303.744.9024
http://www.marketingtactics.com
sitting in my basement with my iMac

Too bad Dave. We are concerned about the security of our members. And that is a minimum we can provide.

__________________
"Being an expert isn't telling other people what you know. It's understanding what questions to ask, and flexibly applying your knowledge to the specific situation at hand. Being an expert means providing sensible, highly contextual direction." Jeff Atwood
SEO Workers - Search Engine Optimization Consulting Company | SEO Analysis Tool | Webnauts Net SEO

We did not write the code. It is a pligg template which we are working on, to clean it up, improve its semantical structure and accessibility.

If you are about SEO it is not required. Still we are planning to implement when we have the time.

How can it be indexed if no link points to that folder. Do you possibly mean that it is browsed? If yes, we are going to disable it with rules in our .htaccess.

Can you be more specific where?

Good idea. Will be done.

Thanks for the kind review. Keep suggestions coming.

__________________
"Being an expert isn't telling other people what you know. It's understanding what questions to ask, and flexibly applying your knowledge to the specific situation at hand. Being an expert means providing sensible, highly contextual direction." Jeff Atwood
SEO Workers - Search Engine Optimization Consulting Company | SEO Analysis Tool | Webnauts Net SEO

I think you're misunderstanding what type of indexing I'm talking about. I'm not talking about being indexed by search engines but a index / listing of that folder's contents. Alot of people look at the robots.txt file to see folders, then pluck in the address and look for exploits and to steal content. A quick fix, as I am sure you know, is just put a blank index.html in each folder.

For the life of me I cannot remember where I have seen that image, but if I come across it again I will make sure to let you know.

__________________
The Sensual Touch Lingerie | High Heels | High Heel Blog

Found it!

http://blogious.wordpress.com/2008/04/20/smashing-feed-icons-by-fasticon/

This is one site that I saw it on, but there are more.

__________________
The Sensual Touch Lingerie | High Heels | High Heel Blog

Thanks for the excellent tip!!! How could I miss that?
I just fixed the issue. But not with an empty html file. I did that server side.

About the favicon, it was a graphic of a template we bought and I use it on our platform. At some point when we have time we might will come up with another idea.

Keep suggestions coming! And a lot of thanks again.

__________________
"Being an expert isn't telling other people what you know. It's understanding what questions to ask, and flexibly applying your knowledge to the specific situation at hand. Being an expert means providing sensible, highly contextual direction." Jeff Atwood
SEO Workers - Search Engine Optimization Consulting Company | SEO Analysis Tool | Webnauts Net SEO

John...

Is this the pligg platform?

Dave

__________________
Religious-Jewelry Blog - Deep Link Directory - Religious Jewelry

Isn't it a good enough comment that I have started even before this thread started yesterday, by linking to that site deep in my linkcollection?

__________________
Mini Network:: Financial information at your fingertips
Learn object oriented programming where it started

Exactly. The latest Pligg version. But a lot of extra work have been required to get it at its present state. And there is still some work to be done. Otherwise it is very good. Though I am sure that my next projects will be Drupal based.

__________________
"Being an expert isn't telling other people what you know. It's understanding what questions to ask, and flexibly applying your knowledge to the specific situation at hand. Being an expert means providing sensible, highly contextual direction." Jeff Atwood
SEO Workers - Search Engine Optimization Consulting Company | SEO Analysis Tool | Webnauts Net SEO

Hey thanks Kjell. Very much appreciated bro.

__________________
"Being an expert isn't telling other people what you know. It's understanding what questions to ask, and flexibly applying your knowledge to the specific situation at hand. Being an expert means providing sensible, highly contextual direction." Jeff Atwood
SEO Workers - Search Engine Optimization Consulting Company | SEO Analysis Tool | Webnauts Net SEO

The reason I ask is that I got rid of pligg (have not even considered the latest version) because of nothing but problems on two different sites. I like the idea and am curious to see how it works out for you.

Dave

__________________
Religious-Jewelry Blog - Deep Link Directory - Religious Jewelry

Looks pretty good. Only suggestions I would have are:

If possible in your server configuration (or .htaccess if this is a shared server) set the ServerToken to Product Only. This will prevent the forbidden message and the server headers from displaying the version of Apache you are running.

I see you blocked the /templates/ directory as suggested by amxfan. However, it may still be possible to guess file names and use other (possibly yet undetected) vulnerabilities to execute files in that area. May I suggest, remove the /templates/ and other sensitive directories from your robots.txt file, and replace the 403 Forbidden response with a 404 Not Found? This can be done by removing the allow/deny rules you added to .htaccess, and replacing them with:

RedirectMatch 404 /templates/.*

This will cause your server to display your customized 404 error page instead of the current static 403 forbidden message. It should be friendlier if a user does get to that folder by mistake, and should also help with security by hiding the folder.

__________________
The best way to learn anything, is to question everything.

I have tried Pligg some months ago and I had problems too. But it was still Beta. This time I must admit that they have done a lot of good work since then. I am sure you will like it now.

The most important thing is what another member mentioned above, to disallow browsing directories which are not for users/visitors and bots.

You can add an .htaccess file in each directory which doesn't have one, and then add in all of them the following rule:

Thats it. If you need some help to defend yourself from spammers, we got some stuff done already. If you need help there, I guess we are already experts. Or, let say I hope.

__________________
"Being an expert isn't telling other people what you know. It's understanding what questions to ask, and flexibly applying your knowledge to the specific situation at hand. Being an expert means providing sensible, highly contextual direction." Jeff Atwood
SEO Workers - Search Engine Optimization Consulting Company | SEO Analysis Tool | Webnauts Net SEO

Last two comments tell me that we should invest more time in becoming Apache experts.

__________________
Mini Network:: Financial information at your fingertips
Learn object oriented programming where it started

Thanx John. We did quite a bit of work also. Spammers were only part of the problem. Crashes, lost info, functions that didn't work or only worked part of the time etc.

I do like the idea but am going to take a bit of a "wait and see" before risking having to redo a lot of work again.

Dave

__________________
Religious-Jewelry Blog - Deep Link Directory - Religious Jewelry

Can you edit for me here the rule to set ServerToken? I could not figure that out.
Also the RedirectMatch 404... was returning a server error.

__________________
"Being an expert isn't telling other people what you know. It's understanding what questions to ask, and flexibly applying your knowledge to the specific situation at hand. Being an expert means providing sensible, highly contextual direction." Jeff Atwood
SEO Workers - Search Engine Optimization Consulting Company | SEO Analysis Tool | Webnauts Net SEO

Why don't you go for Drupal? I began playing around with it and I am seriosuly impressed, and I also ordered this book two days ago: Amazon.com: Building powerful and robust websites with Drupal 6: David Mercer: Books

__________________
"Being an expert isn't telling other people what you know. It's understanding what questions to ask, and flexibly applying your knowledge to the specific situation at hand. Being an expert means providing sensible, highly contextual direction." Jeff Atwood
SEO Workers - Search Engine Optimization Consulting Company | SEO Analysis Tool | Webnauts Net SEO

No. Just learn Basic Apache Security.

Here is a cool PDF file to learn: http://www.ts.vcu.edu/security/Check...hmark_v1.0.pdf

__________________
"Being an expert isn't telling other people what you know. It's understanding what questions to ask, and flexibly applying your knowledge to the specific situation at hand. Being an expert means providing sensible, highly contextual direction." Jeff Atwood
SEO Workers - Search Engine Optimization Consulting Company | SEO Analysis Tool | Webnauts Net SEO

I hope I will not need to implement this: Pligg Spam From India And How To Stop It | Social CMS Buzz

__________________
"Being an expert isn't telling other people what you know. It's understanding what questions to ask, and flexibly applying your knowledge to the specific situation at hand. Being an expert means providing sensible, highly contextual direction." Jeff Atwood
SEO Workers - Search Engine Optimization Consulting Company | SEO Analysis Tool | Webnauts Net SEO

Thank you John. Hope I get time to study that in a holiday, that I definitely need now. It is time for a Holiday when I hit the wrong radio button two times the same day.

__________________
Mini Network:: Financial information at your fingertips
Learn object oriented programming where it started

Server tokens:
This will change the line from "Apache/2.2.3" to "Apache" NOTE: I am not sure if this works in .htaccess. It may need to be changed in the config directly.
EDIT: I double checked, and this can only be changed in the main configuration of the server. Never mind.

404 Hack:
This would go in the main (root) .htaccess file, and should work on any URL. Again, you may need to check if RedirectMatch directives are enabled in .htaccess files. What was the error you got using this code?

__________________
The best way to learn anything, is to question everything.

I am now working in updating our httdconf with some stuff I found here: http://www.ts.vcu.edu/security/Check...hmark_v1.0.pdf

I will get back to you soon. I still have not met you in IM.

__________________
"Being an expert isn't telling other people what you know. It's understanding what questions to ask, and flexibly applying your knowledge to the specific situation at hand. Being an expert means providing sensible, highly contextual direction." Jeff Atwood
SEO Workers - Search Engine Optimization Consulting Company | SEO Analysis Tool | Webnauts Net SEO

I'm going to ask. I think I'm missing something but why did you not just turn off directory indexing and make a custom 403 page if you wanted to do it server side and did not want the default forbidden 403 error page?

Taken from Apache's site

How do I turn automatic directory listings on or off? If a client requests a URL that designates a directory and the directory does not contain a filename that matches the DirectoryIndex directive, then mod_autoindex can be configured to present a listing of the directory contents.
To turn on automatic directory indexing, find the Options directive that applies to the directory and add the Indexes keyword. For example:

<Directory /path/to/directory>
Options +Indexes
</Directory>

To turn off automatic directory indexing, remove the Indexes keyword from the appropriate Options line. To turn off directory listing for a particular subdirectory, you can use Options -Indexes. For example:

<Directory /path/to/directory>
Options -Indexes
</Directory>

From a security standpoint, a 403 Forbidden message can tell an attacker something about your site - giving locations that may be vulnerable to attacks. Simply forbidding access to the folders lets the attacker know that the files exist, and with that information, the attacker may be able to determine what CMS you use, or may be able to inject code into your site which allows them to view the forbidden documents. In contrast, if you use the 404 trick, the attacker has no way of determining that the files in question exist.

__________________
The best way to learn anything, is to question everything.

Thank you Wige

Good point and I agree totally, but unless one changes the entire site structure, one would be attacker already knows what folders are there since Wordpress and other programs create them during install by default and it was also stated that it was a Pligg template given them that info also.

I did like the way you blocked the Apache from displaying it's version as most attacks are server attacks or OS attacks and not site attacks either entering though a SA account that was not disabled or through the use of unicode written to exploit a certain vulnerability. Yes there are many other ways as well through different tools and ports, but most if not all of them are also geared towards attacking a server or OS.

I think it is a bit overkill going through the trouble in blocking the folder to the point you are due to if you think about it your site is only as secure as the server it is on and only as strong as the other sites hosted on the same server as a person could enter through them and gain root access.
The main reason people block directory indexing is to stop people from stealing content, scripts and databases.

__________________
The Sensual Touch Lingerie | High Heels | High Heel Blog

I'll give you an example, from an attack I did earlier today. Someone had a folder (/admin/) blocked with a 403 Forbidden page. Seeing that, I was able to e-mail the owner of the site the source code of /admin/index.php by compromising the form mail system installed on their server. If I had not been able to find the /admin/ folder, it would have been that much harder for me to find interesting things. Basically, any little thing you can do to slow, confuse or delay an attacker can help reduce the impact of the attack.

__________________
The best way to learn anything, is to question everything.

Again I agree 100% with what your saying.

But again the admin folder is there by default. You would have to change the entire site structure hence change the name or location of the folder.

Typical install default for most directories is public_html/admin/login.php with a index.php file that is usually blank or has a forbidden message in it. public_html/wp-config.php is a Wordpress blog default path installed in the root.

Some hosts also have a mirror of the public_html folder that is called www

You also stated you compromised their mail server again - a server attack.

Again I agree with you. My point is how much is enough?

Anyway this is getting off topic of the site review.
From long ago pub hacking days, I have seen people not going after the site themselves but going after the gateways to gain CC info or the server to get control over the system to use the bandwidth and drive space for dump / distro sites. The only time they used the site was to input the unicode to exploit a flaw in the OS.

Yes one should do everything they can. But his site may be secure. Is every other site on that server secure and is the server itself secure?

One quick article on my point of the server being secure and other peoples sites needing to be secure as well:
http://breakingwindows.com/2008/04/ipower_hosted_site_hacked_with.php

Thank you wige for your replies and insight. I believe we are on the same page, we are just viewing it from 2 different angles.

__________________
The Sensual Touch Lingerie | High Heels | High Heel Blog

We enabled the "RedirectMatch" and added the rule in our root .htaccess file and then the template did not display at all. Any tips?

__________________
"Being an expert isn't telling other people what you know. It's understanding what questions to ask, and flexibly applying your knowledge to the specific situation at hand. Being an expert means providing sensible, highly contextual direction." Jeff Atwood
SEO Workers - Search Engine Optimization Consulting Company | SEO Analysis Tool | Webnauts Net SEO

Security is our primary concern, and we are doing as best we can to have all of our sites and our server as secure as possible.

Tips are very welcome in our site review thread too.

__________________
"Being an expert isn't telling other people what you know. It's understanding what questions to ask, and flexibly applying your knowledge to the specific situation at hand. Being an expert means providing sensible, highly contextual direction." Jeff Atwood
SEO Workers - Search Engine Optimization Consulting Company | SEO Analysis Tool | Webnauts Net SEO

Any further suggestions or comments?

__________________
"Being an expert isn't telling other people what you know. It's understanding what questions to ask, and flexibly applying your knowledge to the specific situation at hand. Being an expert means providing sensible, highly contextual direction." Jeff Atwood
SEO Workers - Search Engine Optimization Consulting Company | SEO Analysis Tool | Webnauts Net SEO