This modification was brought to you by
KXDesign
http://www.kxdesign.com/


~Modification name
Rename Config File

~Modification description
This modification allows you to rename or move the config.php file.This is to protect your sensible information and increase the security of your vBulletin board.

The majority of boards get hacked because a hacker uploads a malicious script to get hold of the config.php content.But if you move or rename it,there is no chance that they find out the location of it.

Tips & Tricks:

vBSEO - https://vborg.vbsupport.ru/showpost.php?p=1746661&postcount=24
Fool Hackers - https://vborg.vbsupport.ru/showpost.php?p=1746398&postcount=23

~Modification options
None

~Modification info
File uploads: 0
File edits: 1
Templates: 0
Template edits: 0
Plugins: 0
SQL Queries: 0
Phrases: 0
Settings: 0
Hooks: 0

Install time: 1 minute
Install level: Light

~Modification installation

Step 1: Open includes/class_core.php and find:

include(CWD . '/includes/config.php');

if (sizeof($config) == 0)
{
if (file_exists(CWD. '/includes/config.php'))
{
// config.php exists, but does not define $config
die('<br /><br /><strong>Configuration</strong>: includes/config.php exists, but is not in the 3.6+ format. Please convert your config file via the new config.php.new.');
}
else
{
die('<br /><br /><strong>Configuration</strong>: includes/config.php does not exist. Please fill out the data in config.php.new and rename it to config.php');
}
}

And replace it with:


include(CWD . 'XXXXX');

if (sizeof($config) == 0)
{
if (file_exists(CWD. 'XXXXX'))
{
// config.php exists, but does not define $config
die('<br /><br /><strong>Configuration</strong>: includes/config.php exists, but is not in the 3.6+ format. Please convert your config file via the new config.php.new.');
}
else
{
die('<br /><br /><strong>Configuration</strong>: includes/config.php does not exist. Please fill out the data in config.php.new and rename it to config.php');
}
}

Where XXXXX is the relative path to your new config file.It can be, for instance:
admincp/mynewconfig.php or includes/configuration.php .

~Modification screenshots
None


~Modification changelog


1.0.0 - First Release



~Modification copyright
This may not be distributed,released or claimed as your work without author's permission.

~Reserved~

i don't understand :S

wow nice work!

this mod is simple -> it will let you change/rename your config file

but if they read this file.. they will find out...

so whats the point?

just asking

Which means each time you upgrade you will need to edit includes/class_core.php before uploading.

If Hacker read files class_core will know the path of the new config files???

very usefull . thanks

wow nice work!

this mod is simple -> it will let you change/rename your config file




but if they read this file.. they will find out...

so whats the point?

just asking

You can select your own unique name and directory.And hackers usually ignore the class_core.php and it's harder to read that one,because it contains lots of functions and code,wheras the config.php has only comments and a couple of variables which can be called easily.

I was thinking about encryption of "config.php" codes ... and suddenly I see this mode ...

When the Server has a weak security there is no solution !
but using this mode + encryption can protect your site more . And will make things too hard for hackers.

Thanks Ziki to share your idea . *

nice, thank

You won't be able to upgrade your forum in future, unless you remember to rename the config.php file back to config.php and overwrite the modified class_core.php file BEFORE proceeding with the upgrade.

Edits to class_core.php should only then be re-applied AFTER the upgrade is complete.


Here's the code in upgradecore.php that would stop you from upgrading until the file exists as "config.php":

Note: You could also change the config.php reference in this file, but you'd have to remember to make that change every time the file is overwritten with the newer version when updating.
// config file check
if (!file_exists(DIR . '/includes/config.php'))
{
echo "<p>{$upgradecore_phrases['ensure_config_exists']}</p>";
$errorthrown = true;
}

Also, I recommend changing "config.php" to something as obscure as possible, as it's easy to read the contents of a folder in a php file.

Calling it "configuration.php" or "mynewconfig.php", even in another directory, doesn't make it particularly difficult for a hacker to figure out where your config.php has gone, if he wants to hack your site and already has the means to put a malicious file onto your server.

:)

I wonder if you can remove the current working directory and move it above root?
Like outside of public_html/ ?
include('/home/inc/XXXXX');
or
include('../../XXXXX');

No,it has to stay in vBulletin root.

It didn't work. What I did was made a folder in the root like this: blahblah/blahblah/newconfigfilename.

I came up with an error. Any ideas? TIA.

Is the folder in vbulletin root?

Is the folder in vbulletin root?

Yes. It is forum/Folder/Folder

Is the set URL relative?

Is the set URL relative?

Yes. If you mean that I didn't list it. What I did is replace:


if (file_exists(CWD. '/includes/config.php'))


With the new path:


if (file_exists(CWD. '/newfolder/newfolder/newname.php'))


I also made the other change.

is it works with vbulletin 3.7.x

Yes there is a 3.7 version as well.

This is excellent, however, it would not find the wording exactly, so, I hope this really works the way I had to do it. I only changed the path, and moved the file. The board works, so I hope this accomplished what we're trying to do here...

Thanks!
:up:

why not keep a fake copy of config.php with this mod, in the original folder to fool hackers?

ye, cuz ur out of your forums folder! the folder has to be in your forums folder!

if sumone is using vbseo, uve to change the config path in config_vbseo.php too!

search
define('VBSEO_VB_CONFIG', 'config.php');

replace with
define('VBSEO_VB_CONFIG', '../folder/newconfig.php');

important is the .. !

why not keep a fake copy of config.php with this mod, in the original folder to fool hackers?

ye, cuz ur out of your forums folder! the folder has to be in your forums folder!

if sumone is using vbseo, uve to change the config path in config_vbseo.php too!

search
define('VBSEO_VB_CONFIG', 'config.php');

replace with
define('VBSEO_VB_CONFIG', '../folder/newconfig.php');

important is the .. !

Will add these to the first post!

That works great on my 3.7.5, except with the Mod "IbProArcade". There it gives me a Database error because it still tries to include the original Filename of the config.php. :(

Is there a problem with IPBProArcade Ziki?

Thanks,
Curt

I don't know I didn't test it.

This seems a bit pointless, in my opinion. If a hacker was determined enough (and as this addon becomes used more and more), then I don't see much of a point. They'll just know to check the core file. Your best bet was to keep this to yourself, if your goal was security. Sharing this sort of threw it out of the "Secure" category.

Also, as long as your MySQL server only allows access to your server (and not everyone), (cPanel servers are often configured this way, and you can add exceptions in the cPanel) then even if that have that information, it does them no good.

Also, proper website/server security would make it really difficult for a hacker to upload a file to your server, and even if they did, why bother with this as they probably have full access anyway?

Just my opinion. Take it with a grain of salt :)

Thanks :D

if you guy think that hacker would easy to hack into vbulletin files, so i think vbulletin wont live and growing well as now, dont you think ?

Not working here, I am also geting error. I did everything you said, file is in VB root but still nothing.

If I'm hacker who had a 'shell' in your server, I'll view source of file class_core.php to find real path of config file. So what ?

mod posted without permission from previous authors

Well in that case the previous author would have to be my father as this was written from scratch :). And there's really not much about this mod, it would be like giving instructions to changing the background color of your site and claiming copyright for it :)

If Hacker read files class_core will know the path of the new config files???

If they can read the config.php somehow, don't you think they could read other files? That's why my config.php is encrypted.

ye, cuz ur out of your forums folder! the folder has to be in your forums folder!

if sumone is using vbseo, uve to change the config path in config_vbseo.php too!

search
define('VBSEO_VB_CONFIG', 'config.php');

replace with
define('VBSEO_VB_CONFIG', '../folder/newconfig.php');

important is the .. !

This renaming will work just fine with vBulletin 4.0 and for vBSEO 3.5 RC2 you need to modify the config.xml file located here:

www.yoursite.com/forum/vbseo/resources/xml/config.xml

Differently then you see in the quote above since the config file is now an xml file ;).

Change the following lines and replace the newfolderlocation and newconfigname.php with your new folder and file names :D

<setting>
<name>VBSEO_VB_CONFIG</name>
<value><![CDATA[../newfolderlocation/newconfigname.php]]></value>
</setting>

Then upload the config.xml file back to your server and no more errors from vBSEO ;).

Enjoy!

Mike

This would go great with the old .htaccess

<Files config.php>
deny from all
</Files>