|
Joined: Aug 2000
Posts: 1,609
Addict
|
Addict
Joined: Aug 2000
Posts: 1,609 |
I was just reading through some literature over at Infopop.com, and came across the security suggestions. http://infopop.com/support/ubbthreads/UBBthreads_security.html They suggested that you place config.inc.php either above your web root or in a password-protected directory. I don't think that having this file below your web root is unsafe, but I guess it could be if cgi files will run anywhere. See if you're at risk by typing in the URL to your threads install and then putting in config.inc.php. If you see text come up, your password could be in there. For example, here at ThreadsDev, it seems you're not at risk. https://www.ubbdev.com/forum/config.inc.php I have moved mine above the web root, so it's ultra-safe! http://www.drumlines.org/threads/config.inc.php It's not there!
|
|
|
|
Joined: Nov 2001
Posts: 10,369
I type Like navaho
|
I type Like navaho
Joined: Nov 2001
Posts: 10,369 |
I'll tell you the reason.... and this happened here once. If PHP ever craps out on your server and stops running. Then instead of seeing pages.... users see the text of your scripts. So above the web root is safest.
|
|
|
|
Joined: Aug 2000
Posts: 1,609
Addict
|
Addict
Joined: Aug 2000
Posts: 1,609 |
And config.inc.php still exists under the web root here???
|
|
|
|
Joined: Nov 2001
Posts: 10,369
I type Like navaho
|
I type Like navaho
Joined: Nov 2001
Posts: 10,369 |
Our real one is out of the directory. But the "default" (bogus) one might have been uploaded during upgrades.
|
|
|
|
Joined: Apr 2002
Posts: 102
Journeyman
|
Journeyman
Joined: Apr 2002
Posts: 102 |
I remember a while back PHP crapped out on threadsdev and I tried to warn someone but I was too late and I think some things were tampered with. At least I think that's what my memory is telling me If you run php as an apache module you are pretty safe, but if you use the CGI version you are at a greater risk of having it mess up.
|
|
|
|
Joined: Apr 2002
Posts: 1,768
Addict
|
Addict
Joined: Apr 2002
Posts: 1,768 |
Actually, if you run PHP as an Apache module on a non-dedicated server, then you have another problem. Since PHP runs as the Apache user, typically "nobody", then anyone else with an account on the server can potentially access your files.
|
|
|
|
Joined: Mar 2000
Posts: 21,079 Likes: 3
I type Like navaho
|
I type Like navaho
Joined: Mar 2000
Posts: 21,079 Likes: 3 |
oh yeah, I usually put a fake one there with the info from a cake recipe in it
|
|
|
|
Joined: Mar 2000
Posts: 21,079 Likes: 3
I type Like navaho
|
I type Like navaho
Joined: Mar 2000
Posts: 21,079 Likes: 3 |
uno mas, threadsdev was the reason config files are now put outside the webroot
|
|
|
|
Joined: Nov 2001
Posts: 10,369
I type Like navaho
|
I type Like navaho
Joined: Nov 2001
Posts: 10,369 |
LOL That's right. Nice of us to be guiney pigs for security issues.
|
|
|
|
Joined: Oct 2002
Posts: 3
Lurker
|
Lurker
Joined: Oct 2002
Posts: 3 |
What about encoding config.inc.php with zend Encoder or Similar software, is that enough?
|
|
|
|
Joined: Aug 2000
Posts: 1,609
Addict
|
Addict
Joined: Aug 2000
Posts: 1,609 |
Interesting piece of software. I guess the only real good use one could get out of it is if they're developing a website using PHP for someone, and they don't want them messing with the code or giving it away. Great for developers. I guess it could hide your password if you PHP failed to run and just spit out text. But would it really be worth the price (starting at $960! ) of the software when placing it above the web root works?
|
|
|
Donate to UBBDev today to help aid in Operational, Server and Script Maintenance, and Development costs.
Please also see our parent organization VNC Web Services if you're in the need of a new UBB.threads Install or Upgrade, Site/Server Migrations, or Security and Coding Services.
|
|
Posts: 70
Joined: January 2007
|
|
Forums63
Topics37,573
Posts293,925
Members13,849
|
Most Online5,166 Sep 15th, 2019
|
|
Currently Online
Topics Created
Posts Made
Users Online
Birthdays
|
|
|
|