starred/nsedit

Fork 0

mirror of https://github.com/tuxis-ie/nsedit.git synced 2026-04-27 00:25:50 +03:00

[GH-ISSUE #188] Your authdb is downloadable. Please secure your install #119

New issue

Closed

opened 2026-02-28 01:21:04 +03:00 by kerem · 13 comments

kerem commented

2026-02-28 01:21:04 +03:00

Owner

Originally created by @it-ngo on GitHub (Jan 24, 2019).
Original GitHub issue: https://github.com/tuxis-ie/nsedit/issues/188

I installed nsedit using the github article.
https://github.com/tuxis-ie/nsedit

pdns.users.sqlite3 is located under / etc / nsedit
in the config.inc.php I refer to the path
Rights for folders
d --- rwx --- 2 root www-data 4096 Jan 24 15:06 nsedit
rights for the files in the folder
d --- rwx --- 2 root www-data 4096 Jan 24 15:06.
drwxr-xr-x 100 root root 4096 Jan 24 14:56 ..
-rw-rw ---- 1 root www-data 0 Jan 24 15:01 log
-rw-rw ---- 1 root www-data 28672 Jan 24 15:06 pdns.users.sqlite3

I give less rights to the file or folder. If the error message comes he can not find the file.
I give the file or folder the specified rights, the error comes as in the title description.

Where is my thought error. What do I have to do differently?

In my opinion, it is not possible to access a web page in the /etc folder.

I know this problem of Own or Nextcloud, because I put the data folder in the /var directory.

Please help

Originally created by @it-ngo on GitHub (Jan 24, 2019). Original GitHub issue: https://github.com/tuxis-ie/nsedit/issues/188 I installed nsedit using the github article. https://github.com/tuxis-ie/nsedit - pdns.users.sqlite3 is located under / etc / nsedit - in the config.inc.php I refer to the path - Rights for folders d --- rwx --- 2 root www-data 4096 Jan 24 15:06 nsedit - rights for the files in the folder d --- rwx --- 2 root www-data 4096 Jan 24 15:06. drwxr-xr-x 100 root root 4096 Jan 24 14:56 .. -rw-rw ---- 1 root www-data 0 Jan 24 15:01 log -rw-rw ---- 1 root www-data 28672 Jan 24 15:06 pdns.users.sqlite3 I give less rights to the file or folder. If the error message comes he can not find the file. I give the file or folder the specified rights, the error comes as in the title description. Where is my thought error. What do I have to do differently? In my opinion, it is not possible to access a web page in the /etc folder. I know this problem of Own or Nextcloud, because I put the data folder in the /var directory. Please help

kerem closed this issue

2026-02-28 01:21:04 +03:00

kerem commented

2026-02-28 01:21:05 +03:00

Author

Owner

@it-ngo commented on GitHub (Jan 31, 2019):

any ideas?

@it-ngo commented on GitHub (Jan 31, 2019): any ideas?

kerem commented

2026-02-28 01:21:05 +03:00

Author

Owner

@chessmango commented on GitHub (Feb 2, 2019):

Same issue here - doesn't seem to matter where I keep my authdb, it's detected as downloadable.
/home/myuser is definitely not a directory served by my httpd.

@chessmango commented on GitHub (Feb 2, 2019): Same issue here - doesn't seem to matter where I keep my authdb, it's detected as downloadable. /home/myuser is definitely not a directory served by my httpd.

kerem commented

2026-02-28 01:21:05 +03:00

Author

Owner

@tuxis-ie commented on GitHub (Feb 2, 2019):

I’ll try to look into this this weekend.

Mark Schouten

Op 2 feb. 2019 om 15:49 heeft Owen Valentine notifications@github.com het volgende geschreven:

Same issue here - doesn't seem to matter where I keep my authdb, it's detected as downloadable.
/home/myuser is definitely not a directory served by my httpd.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.

@tuxis-ie commented on GitHub (Feb 2, 2019): I’ll try to look into this this weekend. Mark Schouten > Op 2 feb. 2019 om 15:49 heeft Owen Valentine <notifications@github.com> het volgende geschreven: > > Same issue here - doesn't seem to matter where I keep my authdb, it's detected as downloadable. > /home/myuser is definitely not a directory served by my httpd. > > — > You are receiving this because you are subscribed to this thread. > Reply to this email directly, view it on GitHub, or mute the thread.

kerem commented

2026-02-28 01:21:05 +03:00

Author

Owner

@it-ngo commented on GitHub (Feb 3, 2019):

Further key data:

Ubuntu 18.04 LTS
apache2
PHP 7.2

@it-ngo commented on GitHub (Feb 3, 2019): Further key data: Ubuntu 18.04 LTS apache2 PHP 7.2

kerem commented

2026-02-28 01:21:05 +03:00

Author

Owner

@tuxis-ie commented on GitHub (Feb 3, 2019):

The check is executed here:
https://github.com/tuxis-ie/nsedit/blob/master/index.php#L39

If you use the webdeveloper feature in your browser, you should be able to see the request executed. Can you check what the results of that webrequest is?

@tuxis-ie commented on GitHub (Feb 3, 2019): The check is executed here: https://github.com/tuxis-ie/nsedit/blob/master/index.php#L39 If you use the webdeveloper feature in your browser, you should be able to see the request executed. Can you check what the results of that webrequest is?

kerem commented

2026-02-28 01:21:05 +03:00

Author

Owner

@it-ngo commented on GitHub (Feb 4, 2019):

If ReadyState = 1
Then Reader.Status = 0

If ReadyState = 2
Then Reader.Status = 200

If ReadyState = 3
Then Reader.Status = 200

If ReadyState = 4
Then Reader.Status = 200
And then comes the alert

@it-ngo commented on GitHub (Feb 4, 2019): If ReadyState = 1 Then Reader.Status = 0 If ReadyState = 2 Then Reader.Status = 200 If ReadyState = 3 Then Reader.Status = 200 If ReadyState = 4 Then Reader.Status = 200 And then comes the alert

kerem commented

2026-02-28 01:21:05 +03:00

Author

Owner

@it-ngo commented on GitHub (Feb 14, 2019):

How does it look?
Is this a hoax, so I can circumvent the area of the source text until the repair first?

@it-ngo commented on GitHub (Feb 14, 2019): How does it look? Is this a hoax, so I can circumvent the area of the source text until the repair first?

kerem commented

2026-02-28 01:21:05 +03:00

Author

Owner

@it-ngo commented on GitHub (Mar 28, 2019):

Hello??

@it-ngo commented on GitHub (Mar 28, 2019): Hello??

kerem commented

2026-02-28 01:21:05 +03:00

Author

Owner

@WilliamDEdwards commented on GitHub (Mar 28, 2019):

Hello??

Check your web server config. If HTTP is used to do the authdb request test while you are requesting the page with HTTPS, NSedit falsely reports back that your authdb is downloadable.

@WilliamDEdwards commented on GitHub (Mar 28, 2019): > Hello?? Check your web server config. If HTTP is used to do the authdb request test while you are requesting the page with HTTPS, NSedit falsely reports back that your authdb is downloadable.

kerem commented

2026-02-28 01:21:05 +03:00

Author

Owner

@it-ngo commented on GitHub (Mar 29, 2019):

we use a Sophos firewall which we publish over. between firewall and NSedit everything runs over http.
What do I need to look for in my web server config?

@it-ngo commented on GitHub (Mar 29, 2019): we use a Sophos firewall which we publish over. between firewall and NSedit everything runs over http. What do I need to look for in my web server config?

kerem commented

2026-02-28 01:21:05 +03:00

Author

Owner

@WilliamDEdwards commented on GitHub (Apr 7, 2019):

we use a Sophos firewall which we publish over. between firewall and NSedit everything runs over http.
What do I need to look for in my web server config?

It would appear you are not changing the headers to the right protocol.

@WilliamDEdwards commented on GitHub (Apr 7, 2019): > we use a Sophos firewall which we publish over. between firewall and NSedit everything runs over http. > What do I need to look for in my web server config? It would appear you are not changing the headers to the right protocol.

kerem commented

2026-02-28 01:21:05 +03:00

Author

Owner

@detuur commented on GitHub (Oct 12, 2019):

For me the PHP broke somehow so it was just making a request for my base host URL. So of course that succeeded. I deleted the javascript section out of index.php since I properly secured my install with an authdb that is definitely not served by my httpd.

@detuur commented on GitHub (Oct 12, 2019): For me the PHP broke somehow so it was just making a request for my base host URL. So of course that succeeded. I deleted the javascript section out of index.php since I properly secured my install with an authdb that is definitely not served by my httpd.

kerem commented

2026-02-28 01:21:05 +03:00

Author

Owner

@jduijm commented on GitHub (Oct 24, 2019):

You can also set the $testpath variable to the following (index.php). So that the basename is only replaced when there is actually something to replace

$testpath = !empty(basename($_SERVER['REQUEST_URI'])) ? str_replace(basename($_SERVER['REQUEST_URI']), $authdb, $_SERVER['REQUEST_URI']) : '/' . $authdb;

@jduijm commented on GitHub (Oct 24, 2019): You can also set the `$testpath` variable to the following (index.php). So that the basename is only replaced when there is actually something to replace `$testpath = !empty(basename($_SERVER['REQUEST_URI'])) ? str_replace(basename($_SERVER['REQUEST_URI']), $authdb, $_SERVER['REQUEST_URI']) : '/' . $authdb;`