Hi!
Let us assume I have a very weak password and someone manages to get inside the panel.
Would this mean a risk to inject infected PHP files somehow?
X3 Photo Gallery Support Forums
It is not possible to upload PHP files from the X3 panel, but I would not claim there is NO risk. Depending on how well your server is configured, it might be possible to exploit server with a JPG file upload, especially if they have access to edit the .htaccess file. Even if they can't upload PHP, they can seriously mess up your X3 website of course. Preventing hackers from logging in to panel in the first place should be #1 priority.Haider of Sweden wrote:Would this mean a risk to inject infected PHP files somehow?
Unless you are using any of the suggestions above, there simply isn't any excuse these days to use weak passwords for logins that need to be secure. You can find loads of apps/extensions that will create strong passwords for you and save (also across devices).Haider of Sweden wrote:Let us assume I have a very weak password and someone manages to get inside the panel.
Not sure where I have mentioned the server configuration ... My entire reply above, including the four suggestions are 100% related to the PANEL, and how to protect it..Haider of Sweden wrote:You are talking about two things; X3 itself and the server configuration. As for the server configuration, I'll have to investigate whether the htaccess file security is weak or not.
Indeed it does. ALL my suggestions are about panel security and protection. If your panel is accessed by an unwelcome user, your server is at risk, I can't guarantee anything else. Therefore, it should be TOP priority for you to protect your PANEL, including setting a STRONG password.Haider of Sweden wrote:But to exploit it and use JPG for example, this brings us to the X3 Panel.
If you use any of my other THREE suggestions from above, then the risk is MINIMAL. But why set a weak panel password anyway? It is HEALTHY to be paranoid about your panel login.Haider of Sweden wrote:What are the risks of a weak panel password?
I am not sure where you get this idea about the htaccess file. The htaccess file has almost nothing do with security. If a user gets access to your panel, they can upload files, create folders, and create havoc, REGARDLESS of the htaccess file.Haider of Sweden wrote:If the htaccess is secure, you wont be able to upload anything harmful anyway, would you?
Well "got hacked" is a bit vague ... What did they do? Any other apps stored on the server?Haider of Sweden wrote:Reason for my question is that a server where X3 is hosted got hacked. I have a feeling X3 was NOT the cause (ie weak password), but I ask anyway to be sure if I might have missed anything.
I was gonna say that would be a good idea, but it occurred to me that would allow hackers to find out your panel URL by loading /robots.txt in their browser. It's not really necessary to update this, as it's just there to tell search engines to ignore /panel/. If you rename your panel, there is no way a search engine can find your panel anyway :slight_smile:tomrock wrote:May I mention, you may want to edit the robots.txt file with the new name of your panel if you do this?
I didn't think of that. Excuse me while I go edit my robots.txt back to how it was :-)mjau-mjau wrote:I was gonna say that would be a good idea, but it occurred to me that would allow hackers to find out your panel URL by loading /robots.txt in their browser. It's not really necessary to update this, as it's just there to tell search engines to ignore /panel/. If you rename your panel, there is no way a search engine can find your panel anyway :slight_smile:tomrock wrote:May I mention, you may want to edit the robots.txt file with the new name of your panel if you do this?