|
|
Joined: Feb 2005
Posts: 21
stranger
|
stranger
Joined: Feb 2005
Posts: 21 |
Aren't we supposed to do something to secure the config.inc.php file? Like something in .htaccess or moving it out of the includes directory or tightening permissions? It seemed there used to be two or three recommended steps, but now it seems like we just leave it in includes with the same 0666 permissions as the rest of the includes directory files, according to the installation documentation. Is that right? Is it secure? Doesn't it leave the database user and that user's password open for reading?
Thanks in advance, Maria
|
|
|
|
Joined: Apr 2004
Posts: 1,945 Likes: 145
|
Joined: Apr 2004
Posts: 1,945 Likes: 145 |
For security reasons, Apache prevents PHP files from being downloaded so that the source code is unreadable, unless there is a server failure while you attempt the download. Normally, you'll only get the HTML output of a PHP file on your local computer as a "gift", not the source code. The config.ini.php contains only PHP code, and no HTML code.
If you locked your config.php file down at the server level with a 444, then it wont be able to be changed through the Control Panel. A CHMOD setting of 644 for that file is advised. The includes directory (IIRC) should be 755. That CHMOD setting will pass within the "Permissions Checks" control panel tool.
though via .htaccess, setting a user/password for your /admin and /templates/default directories is suggested.
|
|
|
|
Joined: Feb 2005
Posts: 21
stranger
|
stranger
Joined: Feb 2005
Posts: 21 |
Thanks so much for your speedy help! I will take care of those things now.
|
|
|
|
Joined: Jun 2006
Posts: 16,299 Likes: 116
|
Joined: Jun 2006
Posts: 16,299 Likes: 116 |
I have a .htaccess file in directories that the UBB does not embed files from that is: # Start .htaccess file #
# Deny viewing of .htaccess #
<Files .htaccess>
order allow,deny
deny from all
</Files>
# Don't Allow Access #
AuthType Basic
AuthName "Access Denied"
Require valid-user
# End of .htaccess file # As there is no user listing it will always deny browsing of the directory. I use this all over my CMS, you'll find through trial and error where to place it (if it pops up when browsing your forums, then you have it in a folder that we're calling files from, such as the libs folder).
|
|
|
|
Joined: Feb 2005
Posts: 21
stranger
|
stranger
Joined: Feb 2005
Posts: 21 |
Hi Gizmo, thank you for that idea. I've just moved servers and now I'm going to do the update from 7.5.8 to 7.5.9.
|
|
|
Bots
by Outdoorking - 04/13/2024 5:08 PM
|
|
|
|
|
|
2 members (Gizmo, Nightcrawler),
791
guests, and
189
robots. |
Key:
Admin,
Global Mod,
Mod
|
|
|
|
|