Gallery is a bit messy

[Ed Dunkel]

Torsten (I presume you run the gallery),

The gallery seems to be in a bit of a mess:

Cacti pictures (trichs) in the Aizoaceae section, even a kratom picture.

Lagochilus in the Leguminosae (Anadenanthera, Mimosa, etc) section. etc...

Double pictures in the same or other sections.

This is probably due to unsuspected submitters using the default Succullent-Aizoaceae setting and wanting to re-submit it in the correct section. Hopeing to delete the initial picture (and finding this not being possible)

Could we gain excess in editing the pictures a bit more than we have so far. So that we could delete, rename, move, update them.

If not, could we get one person to oversee the running of the gallery?

Whatcha recon?

[apothecary]

I think a much more elegant solution would be to use a per user gallery integrated into the forum, like overgrow has.

That way each user has their own gallery and can modify, etc their pictures as they please.

I realise the SAB gallery is special, and that it isn't just for forum people to post their photos, but yeah. At the very least it would mean people could use SAB without having 3 logins (one for shop, one for forum, one for gallery).

[caludia]

i think both you guys have good ideas there. I agree with Ed's idea to allow ppl to Edit their posts. I admit that i am one of the lunatics who double-submitted a pic. It would be good to be able to delete my 2nd submission but i could see no way to do it on the site.

Some great pics up there though! Yikes.

I looked at the pic of Daniel in the Chill Space, and i thought it was Torsten. Maybe i would have got a shock if i was expecting that mr T looked like Daniel?

[caludia]

p.s. i think there should be a link to the gallery on the home page of the forum. Maybe where it says "my profile | directory login | register | search | faq | forum home" at the top, there should be 1 more link saying "gallery"?

[Torsten]

all very good ideas, and I have considered them all before. The main problem is that I am hesitant to change the forums software as it will invariably cause a loss of some sort. However, looks like UBB is going down the gurgler anyway, so will have to come up with something. I considered cpg-nuke, but even though the current gallery is cpg, it won't integrate with the new one. Also it's still a small community and who knows when they decide to drop development.

I believe coppermine will include editing features for contributors in the next upgrade. That solves the editing problem.

Still, doesn't solve the multiple password issues though. But then again there is nothing stopping you from using the same log in and password in all sign ups.

I'll have a look at overgrow.

[apothecary]

I should've mention, I believe they use phpBB, and sites as large as that are a testament to its scalability.

[Torsten]

phpBB was for a long time my top choice, but many communities are moving away from it due to security issues. The recent google transmitted virus was just one of the many things that phpBB has issues with. I think it's days are numbered...

[apothecary]

phpBB has no security issues if your php is locked down properly

[Torsten]

so why did phpBB have to rush out a security fix to protect those forums that hadn't been crashed already?

Santy.A targets servers running phpBB. Antivirus companies first detected the worm Tuesday, though it may have been spreading silently well before that, according to Johannes Ullrich, chief technology officer at The SANS Institute's Internet Storm Center.

The worm used a vulnerability in phpBB, an open source software product that is managed by the phpBB Group, to spread across the Internet, infecting computer servers that host online bulletin boards and defacing those sites

Also, techies running ethno and drug sites appear to agree that phpBB does not offer good security and some have already moved to projects like cpg-nuke, while others are still looking. I am not a techie, but I know the criticisms and problems other webmasters have with their sites.

[_e_]

hey all, not sure whether this is a problem i can fix but i seem to have posted a bunch of pics in the wrong place. i selected the appropriate section for most of them and somehow i must have left some of them un touched so they were filed in the cacti section.... please let me know if there is some way i can ammend this so as not tomake the gallery look messy.

cheers

***E***

[Torsten]

OK, have tidied up the gallery. It's really only 3 people who constantly post in the wrong albums, with reville topping the list by a long shot... maybe we should make him the gallery moderator

[_e_]

thanx heaps for that Torsten, ill make sure im a little more careful next time lol, and it sure looks a lot better now

[apothecary]

Torsten:

so why did phpBB have to rush out a security fix to protect those forums that hadn't been crashed already?

Santy.A targets servers running phpBB. Antivirus companies first detected the worm Tuesday, though it may have been spreading silently well before that, according to Johannes Ullrich, chief technology officer at The SANS Institute's Internet Storm Center.

The worm used a vulnerability in phpBB, an open source software product that is managed by the phpBB Group, to spread across the Internet, infecting computer servers that host online bulletin boards and defacing those sites

Also, techies running ethno and drug sites appear to agree that phpBB does not offer good security and some have already moved to projects like cpg-nuke, while others are still looking. I am not a techie, but I know the criticisms and problems other webmasters have with their sites.

Like I said...no security issues if PHP itself is locked down correctly. Things like viewtopic.php should be in the robots.txt file, not even as a security measure but as a common sense measure. That simple one line in a plain text file stops the worm.

Secondly, mod_security should be installed on all apache rigs that have server side scripting enabled (ala PHP/Perl/CGI), and that stops other people from exploiting the issue.

PHP injection exploits are the most common web server attacks around, short of the unicode exploit to iis 5.0. Site admins who use PHP should always have preventative measures in place.

[Torsten]

is this all stuff a site admin could do (if he was smart enough) or do any of these rely on the server admin?

[apothecary]

As long as you have a text editor and access to your server config files (httpd.conf, robots.txt, .htaccess, etc) you can do them. I've seen the things you can explain T, and you're definitely smart enough.

If you want any help, don't hesitate to ask

[apothecary]

Just thought I'd add some links to give you a reference if you wanted one.

Simple apache security tips:

http://httpd.apache.org/docs/misc/security_tips.html

This is a list of common PHP exploits, you can run them against various bits of your site, see if they need more security:

http://old.lwn.net/2001/0704/a/study-in-scarlet.php3

If you're uber paranoid, people have made a Hardened PHP project, which is PHP with a good security patchset, much like grsecurity for linux kernels!:

http://www.hardened-php.net/

I guess this one is ok, just pulled it from google:

http://www.howsyournetwork.com/index.php/c...base.detail.htm

There's also a book you can buy cheaply (used) from amazon called "Hardening Apache" which is quite good.

That should get you started. If you try tightening up your shit and it breaks some of your apps, then you need to talk to your vendors about why they're supplying you insecure stuff!

EDIT:

Last and not least (can't believe I forgot it):

http://www.modsecurity.org/

It's an apache module, much like iptables but for web apps rather than your network stack. Means you can implement some good rules to deny inherently evil requests, etc.

[ 07. March 2005, 11:31: Message edited by: apothecary ]

[caludia]

yikes apothecary! that's some heavy shit

how long would it take a guru like you to do a cursory/rudimentary evaluation of a web site running on an apache server to see if it is reasonably secure?

(i'm thinking of my own site, of course www.guruna.com )

[caludia]

oh and apoth, if you were kind enough to surf over to my site, and you did see something wide open.... er.... PM me, don't reply here

i don't know if u r familiar with osCommerce. It seems like a pretty standard PHP app. Of course, since EVERYONE on this forum is using it (since EVeRYONE on this forum is an el-cheapo freeloader no i should just speak for myself ), security tips for that app are always welcome

[ 07. March 2005, 15:48: Message edited by: MetalGertrude ]

[apothecary]

" src="wink.gif" /> no i should just speak for myself ), security tips for that app are always welcome [/QB]

I know you were probably joking, but let me put in a good word for open source here.

Open source is free. That doesn't make it crap. Think about it. When you have an open source app, you have 2 types of people looking for exploitable holes. Black Hats, and White Hats.

Theres an equal chance of either one finding it, but at least if the white hat finds it, they report it or patch it themselves. Instant security fix.

With proprietary apps, you have exactly 1.5 people looking for holes. What the fuck do I mean by 0.5 of a person? Well think about it. Black hats don't report the hole. They find it, exploit it. With closed source apps, the White hat can find the holes, but rolling out an update is the vendors ball, and it can take however long they like. So the White hat is only worth 0.5 of a resource!

I'm not saying that open source apps like osCommerce are infallible...just that there's a much better chance of there being actual responses to security holes.

What a rant

Anyways, if you think I'm a guru, you should see my boss!

As an app, I think osCommerce is fairly up to nick. If I was you, I'd do two things.

1. Subscribe to the "bugfix" or "security" mailing list for all the packages you use on your site. Apache, PHP, whatever SQL server you're using, osCommerce, etc.

That was as soon as the vendor knows of a bug/hole, you know too.

2. Try and implement as many of the techniques in my above post you can! You owe it to your customers!!

Lastly, before this turns into an essay, guruna is a cool site. I like it

[ 07. March 2005, 19:01: Message edited by: apothecary ]

[caludia]

Thanks Apoth, excellent advice. I will take your advice from both posts. I was certainly only joking about open source... i LOVE open source, it's one of those miracles that i still can't believe is real (kind of like the way some plants grow). Something organic, really.... Self-organizing in certain ways....

Security (and the short time between exploits and fixes) is an undeniable plus for open source. I agree totally with you.

In osCommerce, with its fairly-simple architecture and encouragement for contributions, it is an absolute JOY to download and install new contribs. I must have installed some of the most useless little things, but the fact that the core application is so extensible... so flexible... and the fact that extensions are optional, is just incredible.

Recently i discovered that with a bit of knowledge, it was easy to get into my site Admin section. Of course, if anyone actually bought stuff from me that would be a disaster, so as it stood, it was simply a curiosity haha. I fixed the entrance into the Admin section (otherwise i wouldnt mention it!) but it got me to thinking... hence my delight @ the nice timing of your posts here.

What do you do apoth? R u a developer? Apologies if the answer to the question is easy to find. As Krusty the Klown once said, i'm a lazy, lazy man

[apothecary]

I work for CSIRO ...I think my official title is Software Engineer/Systems Administrator, but you know how it is with government organisations and official titles

I'll be there till sometime near the end of june, and if they don't renew my contract, it's back to uni for me! :D