Security Notes:
A) Why / Quix and an empty index.html?
Because if by chance a hacker arrives on your website, you will see a blank page. He will not know that Quixplorer is installed. This reduces the risk of attacks on Quixplorer.
B) In the file C:\Pi3Web\WebRoot\Quix\.Include\footer.php delete everything between the lines: function show_footer() { // footer for html-page.
(This prevents the webmaster of the site Quixplorer know the address of your website through the HTTP Referer.)
C) In the file C:\Pi3Web\WebRoot\Quix\.Include\login.php find the location of this code:
---%-----------
Code:
if(isset($GLOBALS['__POST']["p_user"])) {
// Check Login
if(!activate_user(stripslashes($GLOBALS['__POST']["p_user"]), md5(stripslashes($p_pass)))) {
logout();
}
---%-----------
and add the sleep (10).
---%-----------
Code:
if(isset($GLOBALS['__POST']["p_user"])) {
// Check Login
sleep(10); if(!activate_user(stripslashes($GLOBALS['__POST']["p_user"]), md5(stripslashes($p_pass)))) {
logout();
}
---%-----------
This will impose an expectation of 10 seconds on the login window, which protects against attacks on Quixplorer type "brute force".
D) Keep an eye to the computer on which you type your password: If a keylogger is installed, you may make you steal your password, and this will allow others access to your files and your hard drive! Be wary, be it in a cafe or friends.
As possible, use a bootable CD such as Knoppix (http://www.knoppix.net/): You will be assured that there is no keylogger.
E) Use preferably Quixplorer logins with limited rights.
(Access to a directory only by example, or that reading.)
In cases of theft of password, the damage will be less if the attacker can not access only one directory rather than your entire hard drive.
Do not use the administrator account to log in from the outside: If someone steals your password, he can access your entire hard drive!
Bookmarks