File permissions appear to have changed and the system is no longer able to write to the following files
Typesetter is hacked. This is a false error and will cause you to change permissions on files and directories so you will get hacked.
Only solution is to delete typesetter and use properly maintained software instead.
What can this issue be good for !? If it should be true : Which provider, which apache and php-version, which typesetter version.
I personally had 90% of my visitors as bots and crawlers. The only time i was (just a little bit) cracked (2019) was, when phpmailer was still the old version.
If file-rights have been changed, that may be the bot- and hack-shield of the provider, which often sets the rights after some time to the minimum necessary for apache (might cause a problem).
Reset the rights In the CMS under : -> Uninstall prep --> Change Your Mind? You can restore the file permissions for added security here:....
I have tried to let online- checkers crack my Typesetter CE - version(the github 52RC is still a bit safer) without https - my installation is super-safe !
Please specify Your posting ! Which CMS is safer . Wordpress and Drupal have serveral XSS issuses.
For those interested: This is the code block that leads to the error message mentioned.
Pretty simple stuff, actually.
If someone has suggestions for improvement, go ahead.
Is that code checking to see if a .php file is writable by the web server?
No modern operating system with secure installation will ever allow a file that is executable to be writable by the web server no matter what the permissions are set to.
Perimeters should be written to a writable config file that can never be executed but have its perimeters read by a php file but never demand write access to a config.php or any other executable file or file with an executable extension and all will work. This can be done and Typesetter can be fully secure and installable on secure systems. Worth the trouble.
No modern operating system with secure installation will ever allow a file that is executable to be writable by the web server… This can be done…
A noble approach but far from reality. A simple example: How should a remote update, the installation of plugins or themes work in such an environment you describe? With strong crypto, code signing and mandatory security audits for all community plugins and themes? Hardly feasible. And even then, the updater would have to write executable code (namely PHP in our case.)
Another example: let's take Wordpress. IMO it's a good measure simply because it is by far the most successful CMS.
Take a look at Worpress' Theme Editor (many other web CMS have similar features). We do not allow such editing of PHP files because we would call that an authenticated RCE.
In contrast to Wordpress, Typesetter will never allow direct access to PHP files from the admin user interface (regardless of set admin permissions). None of the PHP files that Typesetter writes to the /data directory is an entry point. They all instantly die if not loaded by a running Typesetter instance. This sets Typesetter significantly apart from WordPress in terms of security IMO.
If Typesetter was (re)written today, it would probably go a different path.
There is an experimental setting in /gpconfig.php to use JSON files instead of PHP. It's experimental for several reasons - worth a different topic.
To sum it up: Typesetter had extremely few serious security vulnerabilities in its history. Way less than most other CMS I know.
I personally had no security incidents in the past 8 years. Over 100 websites, no incidents.
The most recent WordPress hack I've been dealing with was just 2 weeks ago.
So Typesetter can't be that bad.
Find out more about our Provider Spotlight