UBB.Developers Forums UBB.threads 7 Development How Do I? Security: fool safe config.main.php?

Ive been reading at some other pages about not recommending at all having a file like the config.inc.php we have (with password), in an unprotected directory.
It seems it is true that since it is a php file -processed by the server, no one should be able to read the password. But there is a risk php might stop working because of a configuration error, or anything like it, allowing people to see the php files as text. You can read more about it here.

Mateo Byler
CruceDeCaminos.com

ya, that seems very true. i didn't think about it, but i did such a thing last weekend. the person was using a php board not wwwthreads and i knew where the config file was and i got the login and pw. and that person used that login and pw for the database as there login and pw for the board. i used there info and made me an admin. and made some boards. wasn't nothing special, but it was done. stupidity on the webmasters part thought.

[:red]--------------
http://extremeforums.org/index

Yup, I've just happen read the same article 2 days ago and was thinking to ask Scream to put more variables in config.inc.php like [:red]include path and [:red]class pass(for main.inc.php) and other stuff for us to hide those files to at least a _hard_to_guess directory with password protection. And may even better, on a off-site directiry.

There's no reason to make the installation and maintenance of PHP W3T any harder by requiring multiple directories spread around your accounts directory. In cases like this, its often times simply more convenient to keep everything in the same directory. What Scream might want to consider doing is moving all those files into their own directory within wwwthreads/ and including an .htaccess file in the package like:

<Files ~ ".inc.php">
Order allow,deny
Deny from all
</Files>

PHP could care less about Apache directives, so includes aren't affected. But anybody nosing around with their web browser will get errors when trying to access those files, regardless of whether or not PHP is whacked out.

This was one of a handful of good ideas proposed under the include() directive in the online manual at php.net.

---------
Shalazar
www.charisma-carpenter.com

Thanks for your reply Shalazar. But I'd like to ask Scream to abstract the [:red]include and [:red]languages and some other paths into settings instead of hardcodeed them in. Since it will let us to integrate other _not_so_good_writen[]/w3timages/icons/wink.gif[/] PHP scripts into this forum more easily.

thanks Shalazar that didn' even cross my mind. that will work great.

[:red]--------------
http://extremeforums.org/index

You Linux folks already have options that are far easier than changing code around. With your .htaccess capabilities, you have the option of password protecting files as well as directories, and you can use the *.pm tag to protect all of your .pm files, and similar on your .php files. They will still be available to your system (nobody) user, just won't be accessible via the web unless you know the username and pass. Instructions are at the following:

http://www.wwwthreads.com/support/configuration/passprotect/index.html

I'm still ironing this out on Windows NT, since limiting access to IUSR_Machinname seems to limit both web access and script access. I'm not sure how to separate the two on an NT machine. If anyone has any insight into this, I'd appreciate it. []/w3timages/icons/wink.gif[/]

- Six
[email protected]
mYth productions

Comming back to this old subject because of an interesting solution I recently came across.

Popper, a pop email checker in php, had a very intersting instruction... placing the file in the doc-root!

Here is some text it had:
The document root (doc-root) is the directory where your homepage is stored in. The webserver only can serve files that are located within this document-root directory.
All files outside this doc-root are (or should at least be) inaccessible for the webserver. Therefore, documents that are stored outside the doc-root can't be opened and viewed with a browser via the server.

On Linux/Unix systems running apache, the doc-root is mostly located at /usr/local/httpd/htdocs/ or /usr/local/apache/htdocs/

On Windows systems this often is c:\wwwrun\

Webhosts often use paths like this: /usr/local/apache/vhosts/user94/htdocs/ The information in the file popper.inc.php are vital. They allow the access to the database.
Therefore it is important that NOONE will ever see it's content.
To achieve this, we move this file out of the document-root, so that the webserver can't access it. Under normal operation files with the ending '.php' are processed by the PHP engine. There fore the content of the file popper.inc.php would not be presented to the user agent (i.e. a browser) anyway. But if in some case the PHP engine was stopped or crashed or whatever, there's a chance that the conent is shown by the webbrowser.
You can read more on it here

Just thought I would share this as I thought it could be something that could be of value. []/testimages/icons/wink.gif[/]

If you can place the file outside the webserver root directory, the document cannot be served to browsers period (extensions does not have a meaning either). However, in order to acomplish this you must have write permissions on some directories which I doubt hosting companies will allow :)

Anyway, even in this case, if you are on a shared server, other client can put a .php script in his dir that includes your file using absolute/relative paths (he must know where your config.php.inc resides, path which he can find out when a server error occurs and some message like 'error: unable to (whatever) in /home/httpd/.../main.inc.php ...' is displayed) and print all the relevant variables. This is why providers should not allow customers to read files outside ther virtual domains dirs -- which kinda defeats this concept of protecting the password in the first place ;)
It works however, if you own -- or are alone -- on the server hosting the forum.