The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
#1
|
|||
|
|||
![]()
Hello all,
Here is a very easy way to protect your config.php (and thus your valuable database):
Code:
<?php require_once("/home/**username**/config.php"); ?> That's all. Connection details to your database are now hidden to hackers. Maria PS- I did a search before posting the advice, but I didn't found anything. If a similar article exists, then my apologies, but is well hidden ![]() |
#2
|
||||
|
||||
![]() Quote:
I prefer the above as many simply do not know about this and not to mention your telling a hacker where config.php is within the old config.php when/if they have a copy although they may not think to look for the edit within class_core (if you do not preserve timestamp info when editing or uploading the modified file) ![]() ![]() |
#3
|
||||
|
||||
![]()
Sorry if I'm missing something, but how does this stop hackers?
Not trying to be negative, but I also don't want people thinking that moving their config.php is going to protect them from hackers. At best it'll just cause some minor problems when they go upgrade. |
Благодарность от: | ||
TheLastSuperman |
#4
|
||||
|
||||
![]() Quote:
|
#5
|
|||
|
|||
![]()
Come on. Be ...serious
![]() ![]() In any case I was talking in general. And is well known from the early days of PHP that configuration files is better to not being stored in the public area. An daily example. There are many site owners who are giving FTP access at the public area to someone to fix something. Why to have the login to database details available to him? Maria --------------- Added [DATE]1310151314[/DATE] at [TIME]1310151314[/TIME] --------------- By the way. Nice to see you back Sir Adrian ![]() Maria |
#6
|
||||
|
||||
![]()
If they have FTP access, all they need to do is add var_dump($vbulletin->config) anywhere after global.php to see the password being used. Or they can look in init.php / class_core.php to see where the config.php is located. Even if they can't use FTP to view that directory, they can use file_get_contents() or similar to read the file.
There are lots things you can do to stop hackers, this may slow someone down for 3-4 minutes but I don't' think that 3-4 minutes is worth botching upgrades for. That's not my call, of course, people are free to do what they want. Thanks ![]() Cheers |
Благодарность от: | ||
Badshah93 |
#7
|
|||
|
|||
![]()
At least for me, you helped me a lot and I'm greatful for it. Even coding since 1984, I'm selfteached. Lots of money for a Greek to study in US 35 years ago
![]() ![]() Again thank you Maria |
Благодарность от: | ||
Adrian Schneider |
#8
|
|||
|
|||
![]() Quote:
keep up the good work Adrian. Jeff |
Благодарность от: | ||
Adrian Schneider |
#9
|
||||
|
||||
![]()
And what's the different between this and a simple yet working:
Quote:
Doesn't require any modification of core files and result is the same. Because moving the file out, still no problem to use LFI to get it because you've to change your open_basedir value to the corresponding path. Moving the file around doesn't add much protection - just a difference for an user getting either a 403 or a 404. Specially - dunno but I don't like the idea adding something in $HOME to open_basedir |
#10
|
|||
|
|||
![]() Quote:
Second, but this is just my opinion, I believe that anything outside the public area is "more" secure. Not that is totally secure, but it has a greater security level. Thirda and last. I didn't wrote that my method is the best, or the only one available. I wrote something from my experiance as you did with yours. Sure should be other ways too. Maria |
![]() |
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
![]() |
|
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|