vb.org Archive - Protect your Config.php from Hackers

Quote:

Originally Posted by MaryTheG(r)eek (Post 2219726)

First of all, and please correct me if I'm wrong you're talking for editing htaccess file right? In this case, just keep in mind that not all users know how to use such files, and most important, not all server configurations can use htaccess (eg win/iis). At least so easy as *nix servers.

Well - doesn't matter if htaccess or not - IIS also supports restrictions. The problem is just that VB (and so PHP) need to read this file so it basically doesn't matter where it's put. By default the config file isn't remotely accessible anyways.
And remembering some VB bugs (like the FAQ one revealing the DB info) - then it doesn't matter where this file is because VB needs it to work at all.

Quote:

Originally Posted by MaryTheG(r)eek (Post 2219726)

Second, but this is just my opinion, I believe that anything outside the public area is "more" secure. Not that is totally secure, but it has a greater security level.

That depends. Writeable directories like the attachments should be stored outside the webroot, without any doubt.
For readable files like configurations, there's for the webserver absolutely no difference having them placed in the "includes" directory and set that via "Deny from all" to only allow local access or moving them somewhere into a directory that has the same restrictions (like /etc).

It's maybe a bit more userfriendly to setup the "includes" directory to disallow access because you don't need to edit VB core files.

And - for the worst case - if it happens that VB has some kind of LFI or info revealing bug - then it doesn't matter where this file is.

X vBulletin 3.8.12 by vBS Debug Information
Template Usage: (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (2)bbcode_quote_printable (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)pagenav (1)pagenav_curpage (1)pagenav_pagelink (1)post_thanks_navbar_search (1)printthread (4)printthreadbit (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit showthread	Included Files: ./printthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/class_bbcode_alt.php ./includes/class_bbcode.php ./includes/functions_bigthree.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete printthread_start pagenav_page pagenav_complete bbcode_fetch_tags bbcode_create bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete printthread_post printthread_complete
Messages:

X vBulletin 3.8.12 by vBS Debug Information

Page Generation 0.00962 seconds
Memory Usage 1,725KB
Queries Executed 10 (?)

More Information

Template Usage:

(1)ad_footer_end
(1)ad_footer_start
(1)ad_header_end
(1)ad_header_logo
(1)ad_navbar_below
(2)bbcode_quote_printable
(1)footer
(1)gobutton
(1)header
(1)headinclude
(6)option
(1)pagenav
(1)pagenav_curpage
(1)pagenav_pagelink
(1)post_thanks_navbar_search
(1)printthread
(4)printthreadbit
(1)spacer_close
(1)spacer_open

Phrase Groups Available:

global
postbit
showthread

Included Files:

./printthread.php
./global.php
./includes/init.php
./includes/class_core.php
./includes/config.php
./includes/functions.php
./includes/class_hook.php
./includes/modsystem_functions.php
./includes/class_bbcode_alt.php
./includes/class_bbcode.php
./includes/functions_bigthree.php

Hooks Called:

init_startup
init_startup_session_setup_start
init_startup_session_setup_complete
cache_permissions
fetch_threadinfo_query
fetch_threadinfo
fetch_foruminfo
style_fetch
cache_templates
global_start
parse_templates
global_setup_complete
printthread_start
pagenav_page
pagenav_complete
bbcode_fetch_tags
bbcode_create
bbcode_parse_start
bbcode_parse_complete_precache
bbcode_parse_complete
printthread_post
printthread_complete

Messages:

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.00962 seconds Memory Usage 1,725KB Queries Executed 10 (?)
More Information
Template Usage: (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (2)bbcode_quote_printable (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)pagenav (1)pagenav_curpage (1)pagenav_pagelink (1)post_thanks_navbar_search (1)printthread (4)printthreadbit (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit showthread	Included Files: ./printthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/class_bbcode_alt.php ./includes/class_bbcode.php ./includes/functions_bigthree.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete printthread_start pagenav_page pagenav_complete bbcode_fetch_tags bbcode_create bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete printthread_post printthread_complete
Messages: