Topic Closed

File permissions appear to have changed and the system is no longer able to write to the following files

Typesetter is hacked. This is a false error and will cause you to change permissions on files and directories so you will get hacked.

Only solution is to delete typesetter and use properly maintained software instead.

1 year ago#11768

372 Posts
4 Themes
9 Plugins

What can this issue be good for !? If it should be true : Which provider, which apache and php-version, which typesetter version.

I personally had 90% of my visitors as bots and crawlers. The only time i was (just a little bit) cracked (2019) was, when phpmailer was still the old version.

If file-rights have been changed, that may be the bot- and hack-shield of the provider, which often sets the rights after some time to the minimum necessary for apache (might cause a problem).

Reset the rights In the CMS under : -> Uninstall prep -->  Change Your Mind? You can restore the file permissions for added security here:....

I have tried to let online- checkers crack my Typesetter CE - version(the github 52RC is still a bit safer)  without https -  my installation is super-safe !

Please specify Your posting !  Which CMS is safer . Wordpress and Drupal have serveral XSS issuses.

Edited: 1 year ago#11769

1.5K Posts
16 Plugins
@scottprovost: Nice one LOL. Any proof or details or just SPAM?
Edited: 1 year ago#11770

1.5K Posts
16 Plugins

For those interested: This is the code block that leads to the error message mentioned.
Pretty simple stuff, actually.

If someone has suggestions for improvement, go ahead.

Edited: 1 year ago#11772

I do not think Typesetter is insecure until people change file permissions in response to the erroneous error.
There should never be such an error in the first place. It appears to happen when the web user owns the files.

What it says could not possibly be true in that circumstance. 

1 year ago#11773

Is that code checking to see if a .php file is writable by the web server?

No modern operating system with secure installation will ever allow a file that is executable to be writable by the web server no matter what the permissions are set to.

Perimeters should be written to a writable config file that can never be executed but have its perimeters read by a php file but never demand write access to a config.php or any other executable file or file with an executable extension and all will work. This can be done and Typesetter can be fully secure and installable on secure systems. Worth the trouble.

Edited: 1 year ago#11774

1.5K Posts
16 Plugins

No modern operating system with secure installation will ever allow a file that is executable to be writable by the web server… This can be done…

A noble approach but far from reality. A simple example: How should a remote update, the installation of plugins or themes work in such an environment you describe? With strong crypto, code signing and mandatory security audits for all community plugins and themes? Hardly feasible. And even then, the updater would have to write executable code (namely PHP in our case.)

Another example: let's take Wordpress. IMO it's a good measure simply because it is by far the most successful CMS.

Take a look at Worpress' Theme Editor (many other web CMS have similar features). We do not allow such editing of PHP files because we would call that an authenticated RCE.

In contrast to Wordpress, Typesetter will never allow direct access to PHP files from the admin user interface (regardless of set admin permissions). None of the PHP files that Typesetter writes to the /data directory is an entry point. They all instantly die if not loaded by a running Typesetter instance. This sets Typesetter significantly apart from WordPress in terms of security IMO.

If Typesetter was (re)written today, it would probably go a different path.
There is an experimental setting in /gpconfig.php to use JSON files instead of PHP. It's experimental for several reasons - worth a different topic.

To sum it up: Typesetter had extremely few serious security vulnerabilities in its history. Way less than most other CMS I know.
I personally had no security incidents in the past 8 years. Over 100 websites, no incidents.
The most recent WordPress hack I've been dealing with was just 2 weeks ago.

So Typesetter can't be that bad.



edit: Have to correct myself - seems as if the JSON option was removed again from gpconfig. Some remains here and here

Edited: 1 year ago#11775

1.5K Posts
16 Plugins

Perimeters should be written to a writable config file that can never be executed

I'm just curious: such a config or content file (be it xml, json, ini, txt, you name it) that potentially contains sensitive information - which technique would you use to protect it from direct access?

Edited: 1 year ago#11776

Topic Closed



elFinder 2.1.50 in Upcoming Release

A new release for Typesetter is in the works with a lot of improvements including the ... Read More

Typesetter 5.1

Typesetter 5.1 is now available for download. 5.1 includes bug fixes, UI/UX improvements, ... Read More

More News

creisi productions

Dienstleistungen von creisi productions, Ennetb├╝rgen (Schweiz): * Konzeption, Planung und Erstellung Ihres Internet-Auftritts * Betreuung und Aktualisierung/Pflege Ihrer Websi...

Find out more about our Provider Spotlight

Log In