vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vBulletin 3 Articles (https://vborg.vbsupport.ru/forumdisplay.php?f=187)
-   -   A mere config.php encoding is useless (https://vborg.vbsupport.ru/showthread.php?t=117694)

Milad 06-04-2006 10:00 PM
A mere config.php encoding is useless
 
1 Attachment(s)
Some developers say: "To protect yourself from hackers attacks, encode your config.php" and some other advices.

The mere encoding that is applied to config.php isn't enough.

Because if the hacker has the ability to (create or edit) and excute php files on your filesystem, he would be able to read your config.php variables even if config.php is encoded.

This is very simple and powerful script, it reads your encoded config.php, treats the $config array, and dissplays the variables in nice table.

PHP Code:
// HERE IS THE PATH TO CONFIG.PHP
include('./354/includes/config.php');

echo '<table cellspacing="0" cellpadding="3" align="center" width="500" style="background: #D1D1E1; color: #000000; border: 1px solid #0B198C;">';

foreach ($config as $key => $value)
{
    echo '<tr><td colspan="2" align="center" style="background: #5C7099; color: #FFFFFF; font: bold 10pt verdana, geneva;">' $key '</td></tr>';

    foreach ($value as $key2 => $value2)
    {
        echo '<tr><td width="50%" style="background: #E1E4F2; color: #000000;">' $key2 '</td><td width="50%" style="background: #F5F5FF; color: #000000;">' . ($value2 $value2 '&nbsp;') . '</td></tr>';
    }
}

echo '</table>'
The output will be like this:


This doesn't mean that vBulletin is insecure, this can be applied to any script.

The solution is at your host, so choose an excellent host.

Don't forget to protect your directories.

Hellcat 06-05-2006 02:43 PM
Quote:
Originally Posted by Milad
Because if the hacker has the ability to (create or edit) and excute php files on your filesystem, [...]
....you have a problem anyway!

Noone should be able to create random files on your filesystem in the first place.
This can only be done via pretty unsecure uploading scripts or such....
Always be carfull with those!

HaMaDa4eVeR 06-05-2006 04:33 PM
Quote:
Originally Posted by Milad

The solution is at your host, so choose an excellent host.

Don't forget to protect your directories.
you're right you can easly print the value of config file
PHP Code:
echo $config['Database']['dbname']; 
and you will get the name of db.

but happience if you change the name of the variable $config,
rename $config['Database']['dbname']; to $myconfig['Database']['dbname'];
and change the class files
but what's the solution !!!

by anther meaning, what do you meant "excellent host",
explain more if you can

thanks :)

Milad 06-06-2006 09:36 AM
Hellcat said : "This can only be done via pretty unsecure uploading scripts or such...."

And if your host is not profissional, you will face some problems with him.

A friend of mine, had givem me my config.php, and I was confused about this, I don't have any upload script on my site but ecdownloads only, and it's secure.

I don't allow members to upload files at risk rates.

He could to create files in my active 777 directories.

So I moved to a new host. and protected my active 777 directories.

Thanks :)


All times are GMT. The time now is 11:44 AM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01004 seconds
  • Memory Usage 1,726KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (2)bbcode_php_printable
  • (2)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (4)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete