tl wrote:
Personally, I don't like the idea of the username/password combo under the web tree. I would move them out.
You may want to check this TIP on moving the combo out of the web tree
http://xoops-tips.com/modules/news/article.php?storyid=1
JMorris wrote:
The problem appears to be in the template set for the
modules. This is an issue I've run into countless times.
You'll need to clone your template set and edit the
modules' templates that are causing the problem.
m0nty wrote:
Quote:
danielh2o wrote:
In my case, need to use phpMyadmin from browser to accerss DB, so I afraid someone (can read sensitive info. from mainfile.php) can get this hole.
what hole?
i access phpmyadmin via my browser along with every1 else who uses phpmyadmin, i can't understand your issue of being afraid of mainfile being read by using phpmyadmin??
phpmyadmin needs to be in a secure section of your site anyway if your control panel doesn't have phpmyadmin installed, and the username and password are also in the phpmyadmin config files.. which is why the phpmyadmin folder shud be protected. most servers are setup so that only scripts originating from your own server can access the MySQL database.. any outside connections will be refused.. which means even if somebody does read your mainfile.php file there aint much they can do with it anyway as all attempts to connect to the database will be refused if they aren't from scripts on your server..
You'll need to do some mild hacking to install it, but it will protect the contents of the mainfile.php.
DonXoop wrote:
The mainfile.php can't be read by a browser call (try it). It doesn't output anything. If someone gets access to the server or puts in a script that can read arbitrary files you have problems.
If they do get the info then they still need access to the db server which should never be allowed from the internet anyway. It would likely be someone with access to your server which means you already have a bigger problem.
Besides all the other security ideas you can also prevent attempts at reading the file with a line in your server config or .htaccess file:
Quote:
<Files ~ "mainfile.php">
Order allow,deny
Deny from all
</Files>
JMorris wrote:
RE: mainfile.php
If you're paranoid about sercurity, you may want to take a look at the Xoops Protector module. You'll need to do some mild hacking to install it, but it will protect the contents of the mainfile.php.
jdseymour wrote:
You want to make the file unreadable to prying eyes- chmod 444.
Also see this faq:
https://xoops.org/modules/smartfaq/faq.php?faqid=286