Setting up a Demo Site
Contents
Incentive
This is a collection of tips if you want to set up a demo site, i.e. a Geeklog site where users can log in with admin privileges so that they can have a look "behind the scenes" without having to install Geeklog themselves first.
The Problem
All of the "risky" options on a Geeklog site require admin access. On a demo site, however, you give admin access to any random visitor. So it's important to identify and disable those admin options that can either bring down the demo site or even allow an attacker to upload and run malicious code on the site.
These issues are specific to running a demo site. On a standard Geeklog install, you would only give admin privileges to people you trust.
PHP in Static Pages
You can embed PHP code in Static Pages. By default, that feature is disabled in a standard install, but can easily be enabled if you have admin privileges.
To disable this option entirely on a demo site setup, add the following line to your site's siteconfig.php file:
$_SP_DEFAULT['allow_php'] = 0;
Plugin Uploads
Geeklog 1.6 introduced an option to upload plugins directly from within Geeklog. This option requires write access to certain directories and is therefore a potential security issue on a demo site.
To disable this option, make sure the plugins directories are not writeable for the webserver, i.e.
/path/to/geeklog/plugins and
/path/to/geeklog/public_html/admin/plugins
OAuth Login
The OAuth Login options (introduced in Geeklog 1.8.0) should not be used on a demo site. They require you to enter the keys for the respective service (Facebook, Twitter, or LinkedIn) in the Configuration, where any random visitor could see them.
3rd Party Plugins
Carefully consider any additional plugins you install on the demo site and review their features for potential abuse. Plugins that allow any form of upload may create issues. At the very least, you may need to remove uploaded files during a regular reset of the site.
Other Considerations
If you open up a site like in a demo setup, people will try all sorts of things. This will most likely include vandalism, spam, changing passwords, and trying to exploit features. Here are some things to consider for a demo setup:
Reset the Site regularly
Set up a cronjob to automatically reset the site every hour or at least once a day. Things you should reset:
- the database - simply drop it and reload from a backup
- clear out the upload directories:
- /path/to/geeklog/data
- /path/to/geeklog/public_html/images/articles
- /path/to/geeklog/public_html/images/topics
- /path/to/geeklog/public_html/images/userphotos
Also See
- Feature Request: Demo Site option
- Not much of a discussion, but there were two posts on the geeklog-devel list regarding a demo site option.