If you've made it this far and you are now receiving the below (or similar) message from the web server:Welcome to HOAM! HOAM is designed primarily for single-family and condominium property management, although it also can be used for managing rental* and commercial properties or even as a general web "portal" if you choose to use it that way.
HOAM is intended to give owners living in a neighborhood or condominium building the tools they need to easily administer and operate an property owners association without the need for an outside management company, given a minimum amount of time. Indeed, HOAM is designed specifically to streamline and automate many of the operational tasks of running an HOA.
That said, it's just as easy for a professional management company to set up and use HOAM*, making their operations more cost-effective and efficient.
While HOAM is essentially ready to go out of the box
, there is a need for investigation and data-entry on your part before it becomes truly usable. Specifically:
It's free (both monetarily and philosophically). But why else would you want to use HOAM instead of another property management system?
PROS:translationavailable at this time is English.
HOAM is copyright © 2002-2015 ARP Realty, Inc.
HOAM is free software; you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version.
HOAM is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License along with HOAM; if not, see http://www.gnu.org/licenses/ or write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
Questions specific to HOAM should be directed to ARP Realty Services. Please see the HOAM web site at http://hoam.arprs.com/.
Some portions of HOAM incorporate ideas and/or code from other sources, and those portions are explicitly mentioned and attributed in the relevant section of HOAM source code. Questions about that code should be directed to the original authors.
The following formats are in use:
> sudo service apache restart
This is a testAdditionally, most of the documentation is written from a Linux/UNIX viewpoint; if you are installing under Windows you will need to remember to change from forward slashes (/
) to back-slashes (\
) and adding drive letters where necessary (C:\www
) when reading instructions.
HOAM has been deployed successfully and used long-term with several different versions of Apache, MySQL, and PHP. Most of the testing (and all of our deployments) have been in the Linux environment. While it will work (and has been tested with several versions of Windows from Server 2003 through Server 2019), it is strongly recommended to run HOAM under Linux. The versions of each application that have been tested are:
As of April 2020, the minimum requirements are:
As for server size, you can easily run HOAM under Linux with 1 CPU, 1GiB RAM, and 40GiB of drive space. For Windows, whatever minimum specs are necessary for the version of Windows Server (eg, 2GiB RAM and 40GiB storage) are sufficient — however, it's recommended that Windows servers have at least 4GiB RAM and 80GiB storage.
HOAM performs several checks when it starts to ensure that the minimum requirements are met for the particular version being used. When upgrading HOAM to a new version, it will check whether the minimum requirements are met during the upgrade.
Please note, most recent installations and testing of HOAM have been done on dedicated cloud-based servers; while nothing should prevent you from running HOAM in a shared ISP account (such as under cPanel), we have not performed recent testing to validate it for the last several years.
You'll need to complete several other tasks before starting the installation, as this information will be required during configuration.
On an Ubuntu 8.10 and newer system, enter sudo apt-get install apache2 to install the Apache web server software:
> sudo apt-get install apache2
On a Fedora 29 or newer system, enter the below. Several additional commands are necessary which allow access through the system firewall, and also allow Apache write access (needed for attachments, system backups, upgrades, etc.)
> sudo dnf -y install httpd
> sudo systemctl start httpd
> sudo systemctl enable httpd
> sudo firewall-cmd --add-service={http,https} --permanent
> sudo firewall-cmd --reload
> sudo setenforce 0
> sudo sed -i 's/^SELINUX=.*/SELINUX=permissive/g' /etc/selinux/config
On UNIX systems, a number of Apache features are disabled in a default installation. HOAM requires the headers and rewrite modules to be enabled. On Ubuntu 8.10 and newer, you can do so at the command line by running sudo a2enmod module
> sudo a2enmod headers > sudo a2enmod rewrite
You will need to ensure that you can either modify the configuration entry for the website to allow rewrites, or that Apache will respect rewrite changes in .htaccess.
You will want to download the Apache binary build from one of the mirrors. Once downloaded, follow the instructions to install, which typically entails extracting the archive, updating the httpd.conf file, and installing Apache as a service.
You will need to uncomment the various modules from httpd.conf:
LoadModule headers_module modules/mod_headers.so LoadModule rewrite_module modules/mod_rewrite.so
Apache also needs to be configured to load the PHP module; you'll need to do this once PHP is installed.
LoadModule php5_module "C:\Program Files\PHP-5.6.5\php5apache2_4.dll"
AddHandler application/x-httpd-php .php
# configure the path to php.ini
PHPIniDir "C:\Program Files\PHP-5.6.5"
<FilesMatch \.php$>
SetHandler application/x-httpd-php
</FilesMatch>
While MySQL is required, we're not going to cover specific details about the installation (such as setting the root password, installation path, etc.) For more detailed instructions on installing and using MySQL, please review the documentation available for that product.
On an Ubuntu 8.10 and newer system, enter sudo apt-get install mysql-server to install the MySQL database software:
> sudo apt-get install mysql-server
> sudo dnf -y install mariadb-server > sudo systemctl start mariadb > sudo systemctl enable mariadb > sudo firewall-cmd --add-service=mysql --permanent > sudo firewall-cmd --reload
A MySQL client on UNIX can connect to the mysqld server in two different ways: by using a UNIX socket file to connect through a file in the filesystem (the default socket file location is dependent on your distribution), or by using TCP/IP, which connects through a port number. A UNIX socket file connection is faster than TCP/IP, but can be used only when connecting to a server on the same physical computer. A UNIX socket file is used if you don't specify a hostname or if you specify the special hostname localhost.
On recent versions of Ubuntu and RedHat/Fedora, the MySQL root password is blank by default. In order to install HOAM using the automated install script, you will need to configure a password for the root account. You can do this by running:
> sudo mysql_secure_installation
You will want to download the MySQL binary build from Oracle. Once downloaded, follow the instructions to install, which typically entails extracting the archive, creating/updating the my.ini file, and installing MySQL as a service. As mentioned in the installation instructions, you will likely want to update your environment variables to place the MySQL bin directory in your path.
HOAM uses and is capable of handling Unicode throughout; everything is done in UTF-8. The default installation of HOAM imports a database already in UTF-8 format, and all of the PHP code forces UTF-8 to be used. However, you may want to also modify the default MySQL configuration to use UTF-8 by default. In my.cnf, set:
[mysqld] loose-character-set-server=utf8 loose-collation-server=utf8_unicode_ci
Versions of MySQL earlier than 5.5.3 also usually needed a config option default-collation. If you're using an earlier version, add this to the configuration, but it will cause the MySQL service to fail to start if used in 5.5.3 or later.
[mysqld] default-collation=utf8_unicode_ci
If for some reason your installation of HOAM is not using UTF-8, you can update the database with the following commands:
ALTER DATABASE hoam_xyz CHARACTER SET utf8 DEFAULT CHARACTER SET utf8 COLLATE utf8_general_ci DEFAULT COLLATE utf8_general_ci ;And for each table, do:
ALTER TABLE table_name DEFAULT CHARACTER SET utf8 COLLATE utf8_general_ci ;
On Ubuntu 8.04 and newer, enter the following commands to install PHP:
> sudo apt-get install php php-cli
> sudo dnf -y install php php-cli
On most Linux systems, PHP by default does not have either the MySQL or GD libraries installed / compiled by default. It is necessary to add those two libraries before HOAM will function properly. When starting, HOAM does a requirements check and will complain if the MySQL, GD, or other required libraries are not available.
> sudo apt-get install php-curl php-gd php-mysql php-zip
> sudo dnf -y install php-mbstring php-mcrypt php-mysqlnd php-curl php-gd php-xml php-zip
You will want to download the PHP binary build, the debug pack is not required by HOAM. Once downloaded, follow the instructions to install, which typically entails extracting the archive, creating/updating the php.ini file, and configuring it as a module in Apache.
If you did not already add the PHP module to the Apache configuration (described earlier) do so now.
You will need to uncomment the various modules from php.ini:
extension=php_com_dotnet.dll extension=php_curl.dll extension=php_exif.dll extension=php_gd2.dll extension=php_mbstring.dll extension=php_mysqli.dll extension=php_zip.dll
Make sure you also uncomment and update your extension_dir path to where you installed PHP as shown in the example below:
extension_dir = "C:\Program Files\PHP-5.6.5\ext"
If not already configured, you will likely need to update the timezone line in php.ini as well. You should have a block like this in your php.ini file:
[Date] ; Defines the default timezone used by the date functions ; http://php.net/date.timezone date.timezone = America/Chicago
If not, add it (replacing the timezone with yours); a list of supported timezones is available in the PHP manual. After configuring, make sure to restart httpd (service httpd restart).
Additionally, although this should not normally be necessary, you may want to increase the execution time of PHP scripts from the default of 30 seconds. This has only been observed to be necessary when the maintenance script is manually started from the website administration page. By default the maintenance script runs as a scheduled task using the PHP CLI (which has no timeout), and this change would not be required.
max_execution_time = 90
If you are planning to allow file uploads (attachments) larger than the default size (the default maximum is 2MB), you must edit several settings in the php.ini configuration file. Based on your Linux distribution this can be found in various places, like /etc/php.ini, /etc/php5/apache2/php.ini, etc.
Each of these settings should be set to the maximum desired size. For example, set upload_max_filesize = 32M.
At this time, it is not necessary to modify the PHP CLI configuration file, only the one running via Apache; all cli settings can be left at the default.
At this time, there is only a limited automated installation routine for HOAM; most of the installation will need to be performed manually by someone with at least a passing knowledge of server administration.
> sudo mkdir /var/www/association.domain.namewhere association.domain.name is the FQDN* of your website. For instance, you may have something like www.harvesthoa.com or www.middlebrookcondos.org. This really is optional, however, you can set the directory name to whatever you choose; remember it though, you'll need this name below when telling the web server which directory to use and when scheduling the maintenance script to run.
> sudo cp /path_to_download/hoam-20150301.tgz . $ sudo tar -xvf hoam-20150301.tgz
<VirtualHost *:80>
DocumentRoot /var/www/association.domain.name/
ServerName association.domain.name
<Directory /var/www/association.domain.name/>
DirectoryIndex index.php
Options Indexes
<IfVersion < 2.4>
Allow from all
</IfVersion>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
</Directory>
RewriteEngine on
RewriteRule /$ /index.php
<IfModule mod_expires.c>
ExpiresActive on
ExpiresDefault "access plus 24 hours"
ExpiresByType application/pdf "access plus 1 week"
ExpiresByType application/x-javascript "access plus 2 days"
ExpiresByType application/x-shockwave-flash "access plus 1 month"
ExpiresByType image/gif "access plus 1 month"
ExpiresByType image/png "access plus 1 month"
ExpiresByType image/jpeg "access plus 1 month"
ExpiresByType image/x-icon "access plus 1 month"
ExpiresByType text/css "access plus 2 weeks"
ExpiresByType text/html "now"
ExpiresByType text/xml "now"
ExpiresByType text/plain "access plus 2 weeks"
ExpiresByType video/x-flv "access plus 1 month"
ExpiresByType video/quicktime "access plus 1 month"
</IfModule>
<IfModule mod_headers.c>
<FilesMatch "\.(js|css|xml|gz)$">
Header set Vary: Accept-Encoding
</FilesMatch>
Header always append X-Frame-Options SAMEORIGIN
</IfModule>
ErrorLog /var/log/apache2/error_association.domain.name.log
# For Redhat/Fedora, make sure to swap apache2 for httpd:
# ErrorLog /var/log/httpd/error_association.domain.name.log
ServerSignature Off
</VirtualHost>
> sudo mkdir /var/www/association.domain.name/attachments
> sudo mkdir /var/www/association.domain.name/sessions
> sudo chown www-data:www-data -R /var/www/association.domain.name/or
> sudo chown apache:apache -R /var/www/association.domain.name/HOAM performs several checks at startup to make sure the essential permissions are set and will inform you if they are not.
> sudo service apache2 restartIn Redhat/Fedora, run the below command:
> sudo systemctl restart httpd
The following steps can be performed from within your web browser by navigating to http://association.domain.name/install.php
and allowing the installation script to handle it for you. This requires you to have administrative credentials to the MySQL server.
Alternatively, follow the below steps if you would like to install HOAM manually.
mysql> create database hoam_xyz;
mysql> create user xyz_user@localhost identified by 'password'; mysql> grant create temporary tables, delete, drop, execute, insert, select, update on hoam_xyz.* to xyz_user@localhost;
mysql> grant create temporary tables, delete, drop, execute, insert, select, update on hoam_xyz.* to xyz_user@localhost identified by 'password';
> mysql -u admin_user -pPassword hoam_xyx < hoam/install/default_db.sql
> mysql -u admin_user -pPassword hoam_xyx < hoam/install/storedProcedures.sql
; HOAM configuration file with database connection settings, created
; automatically during the initial installation of HOAM.
;
; Note!
; -----
; The characters {}|&~![()" have a special meanings and should be avoided.
;
; Using 'localhost' for the hostname may cause problems with socket connections
; on some UNIX (Linux) systems. The recommended alternative is to use 127.0.0.1
; to force TCP/IP connections.
[HOAM_DB]
engine = mysql
dbname = hoam_xyz
user = xyz_user
password = xyz_user password
server = localhost
port =
; No further configuration is required
; ------------------------------------
; All additional customization is done in your web browser
HOAM comes with a maintenance script that it expects is run once per day. This script performs several functions including application of assessments and fees, sends reports based on the activity in the last day (for instance, invoices paid and users logged in), and checks system integrity.
It's reasonably important that the maintenance script is scheduled to run automatically once per day; we recommend scheduling it to run at midnight. There are a few safeguards built into the script in the event that a day is missed or if it aborts in the middle of a run, but this should not be used as an excuse to avoid scheduling the daily run. Should the script not be set up to run automated, you can manually run it from the Website Administraton page.
The script should be scheduled using either cron on UNIX or as a scheduled task on Windows.
On an Ubuntu 8.10 system and newer, enter create a new file, hoam in /etc/cron.d/
> sudo nano /etc/cron.d/hoamand create the cron entry:
# Added HOAM nighly maintenance script 0 0 * * * www-data php -f /var/www/association.domain.name/hoam/scripts/diag/maintenance.php
The remaining configuration of HOAM itself is done online. Start a web browser and point it at the location of the HOAM installation, eg, http://association.domain.name/.
If you've made it this far and you are now receiving the below (or similar) message from the web server:
Forbidden You don't have permission to access / on this server.
Then you're likely running into a file permissions issue. The web server needs to be able to read and execute the files in the location you've chosen to install HOAM. In Windows the default filesystem permissions are usually sufficient to allow this, but you may need to check the directory permissions under the Security tab in Windows explorer. In Linux/UNIX systems, try running the following:
> sudo chmod 705 /var/www/association.domain.name/ $ sudo chown -R www-data:www-data /var/www/association.domain.name/
If you're seeing the default Apache website, then you've forgotten to restart Apache and load the new configuration. Simply restart Apache as noted above and try again.
Congratulations on installing HOAM! Several default pages have been created and configuration options have been set for you already. Please review the information below for next steps.
in the upper-right corner) to remove the welcome notice from the main page.
Change the default password for the Admin account
Update the System Configuration
Virtually all aspects of HOAM can be modified via the System Configuration page (accessed via Website Configuration ⇒ System Configuration). Here you will find options for controlling how HOAM handles finances, user accounts, system security, page displays, and more.
It's important to note that many of the settings in HOAM come pre-configured with default settings that work well for most installations.
You can probably safely leave all options on this tab at their default values.
Please note, this is completely separate from the Email Validation configuration option under Users Configuration.
In general, the options available under Lot Configuration should be left at their default values; the exceptions being the selection of which Association Common Areas are available (if any), and whether there is any Miscellaneous Property to track.
Many neighborhoods contain Common Areas that are maintained by the Association for the benefit of the property owners, such as parks, pools, clubhouses, and more.
Enabling these various items in the configuration has them show up in other portions of the system such as Work Requests, allowing owners or residents to report issues such as a park that has trash, pools with too much or little chlorine, et cetera.
Miscellaneous property is used to managing other items that the Association may own, such as clubhouses, parks, parking spaces, and pools. While not every Assocation has these items, those that do often allow the rental/usage of them by owners.
Enabling this option causes a new section in the HOA Administration section to appear, allowing the creation of and rental tracking various property. Items listed here may be assigned to specific owners, and the costs associated are automatically accrued to owner's accounts for the rental period specified for each item: parking spaces and storage units are generally configured monthly, while clubhouses would typically be rented for a single day.
If email validation is enabled, the fields will be marked as mandatory in all user editing forms, and errors will be given if addresses are not provided. Additionally, several changes to user account creation and password resets occur:
We recommend leaving this option enabled as it allows much more secure password resets and also usually helps cut down on vandalism of the site (such as spam posts in the messageboards).
Please note, this is completely separate from the Send Automated Emails configuration option under Email Configuration.
This setting controls whether HOAM reports back to ARP Realty Services, Inc. that it has been installed and is running. This reporting happens when the maintenance script runs, and can be disabled with this configuration option.
The information sent includes:
ARP Realty Services, Inc. is using this information right now to simply gauge the number of installs in the wild (outside of our internal customer base), as well as which versions are in use. At some point we may also use the email address obtained to send notices of HOAM version upgrades and/or security issues that have been discovered. There are no plans to use this for any sort of marketing, and no information is sold to third parties.
The advertising options in HOAM are extremely primitive compared to commercial offerings from Google and others -- this is meant more as a way to offer a way for neighborhood companies to receive a small amount of exposure for either free or in exchange for goods or services they've offered the Association.
For instance, you may have businesses run by homeowners, or local companies may have donated to a neighborhood event (such as National Night Out) and the Association would like to advertise their business.
At this time, only image-based advertisements can be shown (no text-only or animated ads). Also, no reformatting of images is done (to either increase or decrease the image size to fit the available space) — however, HOAM does limit the total space available via CSS to make sure page formatting is not completely broken.
Four page locations are available for advertisements to be displayed:
If more than one advertisement has been specified for a particular location, one will be picked at random to display on each page load.
The other available options are an URL to send users to when the advertisement is clicked, the first date to display the adversisement, and the last date to display the advertisement.
In order to view how many times the advertisement has been shown to users (impressions), and how many times someone has clicked (engagements), you can look at the List All Advertisements menu option.
Meeting Minutes April 13, 2018.
minutes_20180413.
All of the options below are hard-coded in the documentation to show specific values; in a live system they will display the information contained in the configuration.
Pre
formatted
text
test.
All of the options below are hard-coded in the documentation to show specific values; in a live system they will display the information contained in the configuration.
Congratulations on installing HOAM!
In addition to individual residences, an association may sometimes also have other properties that it manages such as clubhouses, pools, parking spaces, and storage facilities. HOAM has the ability to keep track of these items as well, including rental periods and charges to individual owners.
All file attachments stored by HOAM are kept in a directory named attachments. Thumbnails of attachments are stored in subdirectory of attachments called thumbs.
HOAM classifies attachments by the type of object they're attached to: budget entries, homeowners, violations, votes etc.
Users may be members of multiple groups. By default, if not logged into the system, all users are members of the Anonymous group. Anonymous members are also members of the Everyone group.
Groups are arranged in multiple trees. For instance, in the default system configuration, the following groups are defined, and each descendant group is a considered a member of any groups it's parent is a member of. It's important to note, however, that because of permission checks HOAM runs, the System Administrators group can be considered a member of all of the groups.
In other words, all HOA Board Members are considered members of the Registered Users group. You may notice that the System Adminstrators group is listed as a member of several different groups; this gives a member of System Administratrs access to groups that they would normally be prohibited from. For instance, if an administrator were to rely solely on inheritance then only being a member of the HOA Board Members group would prevent them from accessing items restricted to Anonymous members.
As shown in this diagram, the System Administrators group does not have access to information restricted to members of HOA Social Committee.
HOAM also supports multiple trees. For example, the following group hierarchies are also configured:
While it may seem cumbersome for the same group to be listed multiple times, there is a great amount of flexibility that is allowed by this configuration. For instance, to set up a wiki-type system where everyone is allowed to edit the content of the system, you could simply add the Everyone group to the Edit Articles group. However, we don't recommend this due to the security risks inherit in this design using HOAM (currently, HOAM executes any PHP code contained within articles; allowing anyone to create and run PHP code on your system is inviting disaster!)
Like Articles, the theory behind the messageboard is that all messages are based off of a single tree. The first message in the system, which always exists, is assigned (by default) an id of 0 (zero). The immediate descendants of this root message are considered separate message boards, and are treated slightly different than other messages in the system. When a message with a root_id of 0 is displayed, the text of the message is displayed, and then any messages below it in the tree are displayed. In practice, there is no real difference between this and other message board systems.
Messages are listed in each board in reverse chronological order. That is, the newest messages are at the top of the page, and older are at the bottom.
Because message boards are treated the same as regular messages, the message board name is used as the id and as the root_id of other messages.
Authors of messages are allowed to edit their posted messageboard for (by default) 48 hours. Members of the System Administrators group have the ability to delete and edit existing messages (even from other users) at any time.
HOAM supports plugins to modify and/or enhance the features available. A selection of plugins are available and come with HOAM, and others are listed on the website.
HOAM displays (by default) a list of all available down-level pages based from the article root.
Users may be members of multiple groups. By default, if not logged into the system, all users are members of the Anonymous group. Anonymous members are also members of the Everyone group.
Since HOAM is designed to support and administrate homeowner associations, a good deal of the system revolves around determining whether a user has permissions to access the requested functions. You may configure user accounts so (the Association's Treasurer, for instance) they have the ability to review the budget and the various invoices, but not violations or homeowner details. Similarly, you can configure an account (someone on the Social committee) to access homeowner rosters and contact information, but not financial or violation details.
There are two default user accounts created when HOAM is installed:
The Admin account is the one you specified the password for upon installation. The HOAM System Account is used for tagging automated entries created by HOAM (for instance, when fees are automatically applied, when creating certain log entries, etc.)
The theory behind the articles is that all articles on the site are based off of a single tree. The first article in the system, which always exists, has an URLname of "" (NULL).
When adding new articles to the system, starting from the root, you would enter the root_id for the first article in the root_id field. Subsequent articles added under this new article would reference it's root_id as their root. Generally, the articles directly off the root are already specified as Sections.
Articles can be secured such that only the specified groups can read them. Please note, however, that someone with the ability to edit or delete articles may still be able to view the contents even if they would not otherwise have the appropriate group membership.
HOAM supports a number of wiki-style markup tags in articles and news items. There are also a number of variables that can be entered and expanded dynamically during display.
An example of all of these options is available online under the HOA Administration ⇒ Form Letters ⇒ Add New Letter page, select the ZZZ Test Letter option.
No developer ever thinks their change is going to break anything for anyone. It's the QA Law of What Could Possibly Go Wrong. ;)Adam Williamson
If you want to download new versions, subscribe to the HOAM mailing list or even take part in the development of HOAM, we refer you to its homepage at http://hoam.arprs.com/ or on Sourceforce at https://sourceforge.net/projects/hoam/. New developers and testers are more than welcome!
If you have any bug reports, suggestions for improvement or simply want to tell us that you are using HOAM, feel free to post to the HOAM mailing list. If you have found any security problems in HOAM, please contact us directly at security@arprs.com (rather than posting on the mailing list) so we can correct it and release an update before you tell the public about it. We will pay a bounty of $50.00 for each confirmed (at our discretion) security problem.
The best place to get up to speed on the development of HOAM as well as touch base with other developers is on the mailing list.
At this point in time, the bug tracker and source repository are not open to the public; as it has been in use for many, many years, there are concerns that some PII may be in both right now. When we have time, a new repo and bug tracker will be migrated to and opened to the public.
The most-developed language and country settings are for U.S. English and the United States of America. Adding new languages and regions should be as easy as creating the new reference file. If you do create customizations for HOAM, please send them to us so others can benefit.
The below translations were performed by volunteers, and may be incomplete or incorrect. Please contact us if you've found a mistake in a translation, or would like to help translate HOAM to your language.
Although HOAM has been developed and used solely in the United States, theoretically it is adaptable for usage in other regions of the world. All that should be necessary is creation of a new country file in the country directory, which will be automatically discovered. Should you run into issues, please contact us, as we'd like to make sure HOAM is usable outside the U.S.
HOAM supports plugins to modify and/or enhance the features available. A selection of plugins are available and come with HOAM, and others are listed on the website.
If you write a plugin that adds a new database table, HOAM will automatically check it as part of the maintenance routine.
HOAM uses, or is based on several 3rd party functions, scripts, or ideas. In roughly alphabetical order:
Additionally, most of the icons used in HOAM were created by Mark James (http://www.famfamfam.com/lab/icons/) which were graciously made available under the Creative Commons Attribution 2.5 license.
HOAM is primarily the work of one author, Robert Butler. He considers himself to be an intermediate-level PHP and beginner-level MySQL programmer at best. In fact, HOAM was originally begun in 2002 as a way to learn PHP and MySQL. That being the case, more advanced programmers will likely find various portions of HOAM that could be more elegant or efficient. However, we are simply unaware of this, or (being aware of a specific section) don't have the time to investigate further at this point.
In addition to learning PHP and MySQL, Robert couldn't find another CMS that met his needs, or that he could quickly get up to speed with. In fact, in 2002 'CMS' as a term was unknown to him, and thus he didn't even know what he wanted. He simply needed an easy way to manage to post news and help manage the homeowners association he was a part of at that time. Indeed, HOAM has already well outgrown the initial understanding he had when he began.
That being said, there are certainly portions of HOAM that are brilliant, and equally portions where you'll be awestruck at how poorly it's written (and equally amazed that it works at all). Along those lines, because Robert is not a programmer by trade, and some portions of HOAM may go months or years between revisions, the code is kept as simple as possible so it doesn't take long to get up to speed after a break.
If you have any bug reports, suggestions for improvement or simply want to tell us that you are using HOAM, feel free to post to the HOAM mailing list.
If you have found a security problem in HOAM, please contact us directly at security@arprs.com (rather than posting on the mailing list) so we can correct it and release an update before you tell the public about it. We will pay a bounty of $50.00 for each confirmed (at our discretion) security problem.
At this point in time, the bug tracker and source repository are not open to the public; as it has been in use for many, many years, there are concerns that some PII may be in both right now. When we have time, a new repo and bug tracker will be migrated to and opened to the public.
There are several system configuration changes you can make that will increase the security of your webserver. These are general changes you can make that have nothing to do with HOAM itself; they're simply good practice. A complete discussion of the changes you can make is outside the scope of this document, but among the options are:
After any / all of the below changes are made, you will need to run the following command to make sure they take effect.
Ubuntu:> sudo service apache2 reloadRedhat/Fedora:
> sudo systemctl restart httpd
By default, Apache creates a server that lets you know the installation is complete. Comment out (by placing a '#' at the beginning of each line) the configuration for this default site in the /etc/apache2/sites-available/000-default.conf or /etc/apache2/sites-available/default configuration file.
You may want to minimize response headers from Apache; this will very slightly reduce the amount of traffic your server is sending (improving performance), and will also obscure the version of Apache running on your server (improving security). To do so, edit the /etc/apache2/conf-enabled/security.conf file (older versions use /etc/apache2/conf.d/security) and change these two lines:
ServerTokens Prod ServerSignature Off
Especially When running on a shared server, one Apache feature that you will probably want to disable has to do with reporting of the server status. This is known to cause security a issue with eavesdropping on server accesses. To disable it, the recommended fix is simply disabling the feature:
> sudo a2dismod status
If removing the status module is not an option, then you'll want to add the below code to your configuration file or .htaccess file.
<Location /server-status> SetHandler server-status Order Deny,Allow Deny from all </Location>
mod_evasive is an Apache module that provides evasive maneuvers action in the event of an HTTP DoS (Denial of Service) or DDoS (Distributed Denial of Service) attack on the web server. When potential attacks are detected, mod_evasive will block the traffic from the source for a specific duration of time, while it reports abuses via email and syslog facilities. Administrators can configure mod_evasive to talk to iptables, ipchains, firewalls, routers, and etc. to build a comprehensive DDOS prevention system for the high traffic busy web server.
> sudo apt-get install apache2-utils libapache2-mod-evasive $ sudo mkdir /var/log/mod_evasive $ sudo chown www-data:www-data /var/log/mod_evasive/
Some experimentation may be necessary, but good initial values are:
DOSHashTableSize 3097 DOSPageCount 20 DOSSiteCount 50 DOSPageInterval 1 DOSSiteInterval 1 DOSBlockingPeriod 60
See https://library.linode.com/web-servers/apache/mod-evasive for more information.
ModSecurity is an open source, free web application firewall (WAF) Apache module. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring and real-time analysis with little or no changes to existing infrastructure.
> sudo apt-get install libapache2-mod-security2 $ sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
One of the default rules, SecRequestBodyLimit limits the page request size and limits file uploads to 128 KB by default. Change this to the size of files you would accept uploaded to the server. This settings is very important as it limits the size of all files that can be uploaded to the server. Also, by default the engine is set to detect only, not prevent issues. Edit the file /etc/modsecurity/modsecurity.conf
#SecRuleEngine DetectionOnly SecRuleEngine On SecRequestBodyLimit 32768000 SecRequestBodyInMemoryLimit 16384000
See http://www.thefanclub.co.za/how-to/how-install-apache2-modsecurity-and-modevasive-ubuntu-1204-lts-server for more information.
If this is an installation on a new system, it's highly recommended to run mysql_secure_installation to secure the default installation of MySQL.*
On Linux servers, you can modify the file /etc/sysctl.conf. Uncomment the following line and make it look like this:
#Enable TCP SYN Cookie Protection net.ipv4.tcp_syncookies = 1Make the change active.
> sudo /sbin/sysctl -p
See https://en.wikipedia.org/wiki/SYN_cookies for more information.
If you have full control over the web server you plan to use HOAM on, you may want to consider modifying php.ini to disallow certain security-sensitive commands that HOAM does not use:
disable_functions=passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,show_source
Depending on how PHP was installed, it may already have several entries listed on the disable_functions line; if so, simply append the items above to the end of the existing list. Also, you'll want to make this change to both the apache2 and cli versions of php.ini (although the cli version is not as risky security-wise for our purposes).
You may also want to prevent PHP from the exposing the fact that it is installed on the server, by adding its signature to the web server header. We need to locate in php.ini the variable expose_php and turn it Off. By default expose_php is set to On. Locate the line containing "expose_php On" and set it to Off:
expose_php = Off
After making this change PHP will no longer add it's signature to the web server header. Doing this will not make your server more secure, but it will very slightly reduce the amount of data your server sends and it will prevent clients from easily seeing that you have PHP installed on the system and what version you are running.
See http://php.net/expose_php for more information.
> sudo chmod 750 /var/www/association.domain.name/
session_start(): Session data file is not created by your uid [...]
php -i | grep user or ps aux | egrep '(apache|httpd)' and confirm the user running PHP.> chown -R www-data:www-data /var/www/association.domain.name/or
> chown -R apache:apache /var/www/association.domain.name/
chmod 740 -R * from the main directory you installed HOAM into). It is occasionally necessary to also set the 'sticky' bit (eg, chmod g+s -R *).chmod 760 -R attachments).Destination "xyz" for file "abc" is not writeable,
> chown www-data:www-data -R /var/www/assocation.domain.name/or
> chown -R apache:apache /var/www/association.domain.name/
<policy domain="coder" rights="none" pattern="PDF" />to
<policy domain="coder" rights="read|write" pattern="PDF" />
If money_format doesn't seem to be working properly, make sure you are defining a valid locale. For example, on Debian, 'en_US' is not a valid locale - you need 'en_US.UTF-8' or 'en_US.ISO-8559-1'. This was frustrating me for a while. Debian has a list of valid locales at /usr/share/i18n/SUPPORTED; find yours there if it's not working properly.
sequence_tablebeing full?