UBB.Developers Forums UBB.threads 7 Development How Do I? Security and config.inc.php

I was just reading through some literature over at Infopop.com, and came across the security suggestions.

http://infopop.com/support/ubbthreads/UBBthreads_security.html

They suggested that you place config.inc.php either above your web root or in a password-protected directory. I don't think that having this file below your web root is unsafe, but I guess it could be if cgi files will run anywhere.

See if you're at risk by typing in the URL to your threads install and then putting in config.inc.php. If you see text come up, your password could be in there. For example, here at ThreadsDev, it seems you're not at risk. https://www.ubbdev.com/forum/config.inc.php

I have moved mine above the web root, so it's ultra-safe!

http://www.drumlines.org/threads/config.inc.php

It's not there!

I'll tell you the reason.... and this happened here once.

If PHP ever craps out on your server and stops running. Then instead of seeing pages.... users see the text of your scripts.

So above the web root is safest.

And config.inc.php still exists under the web root here???

Our real one is out of the directory. But the "default" (bogus) one might have been uploaded during upgrades.

I remember a while back PHP crapped out on threadsdev and I tried to warn someone but I was too late and I think some things were tampered with. At least I think that's what my memory is telling me If you run php as an apache module you are pretty safe, but if you use the CGI version you are at a greater risk of having it mess up.

Actually, if you run PHP as an Apache module on a non-dedicated server, then you have another problem. Since PHP runs as the Apache user, typically "nobody", then anyone else with an account on the server can potentially access your files.

oh yeah, I usually put a fake one there with the info from a cake recipe in it

uno mas, threadsdev was the reason config files are now put outside the webroot

LOL

That's right.

Nice of us to be guiney pigs for security issues.

What about encoding config.inc.php with zend Encoder or Similar software, is that enough?

Interesting piece of software. I guess the only real good use one could get out of it is if they're developing a website using PHP for someone, and they don't want them messing with the code or giving it away. Great for developers. I guess it could hide your password if you PHP failed to run and just spit out text. But would it really be worth the price (starting at $960! ) of the software when placing it above the web root works?