[Angel-Wings]

Well, well

Quote:

Originally Posted by mikey1991

... I did a recursive CHMOD of 0644....

0440 or 0400 can be enough. Depends on how your Webserver is configured but in my opinion the PHP user should never be able to write anywhere inside the Webroot.
You can configure VB to use the uploads directory somewhere outside the Webroot which is much better.

Quote:

Originally Posted by mikey1991

PHPMYADMIN

Well - if that thing is installed one will for sure have other problems than securing VB - best way - remove phpMyAdmin completely specially if you

Quote:

Originally Posted by mikey1991

If you have SSH access to your server, ask your host to remove it

can use SSH to forward Database connections through a tunnel to your local host. And instead of removing SSH - ask the host if they can switch to Public Key authentication and for Gods sake keep it running.
Instead try to use SFTP and remove FTP giving you the ability to tighten up the file permissions even more.

Problem is that if you remove SSH which can be configured secure but keep phpMyAdmin running and have 0644 permissions you secure at the wrong side of the server.
General recommendation - if possible never let the PHP user write anywhere inside the Webroot if possible, mod_sec / suhosin are good if configured right to prevent RFI's / LFI's and Injections and try to remove FTP completely and rely on the much more secure SSH / SFTP with (and only with) Public Key auth.

Then you can easily configure your Webserver that admincp / modcp Logins are SSL based - maybe with a Client Cert authentication.

Please - don't misunderstand me - just phpMyAdmin as example is a thing that should be removed completely. Unsafe software won't get more secure if you make the door entry smaller - as long as it's there, it's a risk.
Same applies to FTP when SFTP is available as option and finally the problem that PHP should never write anywhere in the Webroot.
If you still decide to keep CSS related Style changes on the Webroot you can set the directory where these files are kept with:

Quote:

<directory "/where_ever_it_is/clientscript/">
php_admin_flag Engine off
</directory>

Or removing the handlers when using FastCGI. The same applies to all other folders where no PHP files are running (images, js and so on) and it should specially apply to every folder where PHP is able to do write operations such as the uploads directory.