XOOPS 
Forum
Forum Index General Forums Community Support Modules Support Themes Support Development International Support Module Hack Reviews Theme Designer Talk
  1. Board index / 
  2. XOOPS Community Support forums / 
  3. Q and A 
  4.  / Security Question
Register
1
Darrell3831
Security Question

  • 2004/8/6 3:15

  • Darrell3831

  • Just popping in

  • Posts: 8

  • Since: 2004/8/5 1


Would'nt it make sense to remove all the content from mainfile.php and in it's place have an include statement that pulls in the original content from a directory that is not accessable by the public?

include("/home/virtual/site1/fst/tmp/mainfile.php"); 
?>


With your database user login id and password in mainfile.php, and mainfile.php being in a public directory arent me taking a chance of it being compromised?

Thanks,
Darrell
2
Dave_L
Re: Security Question

  • 2004/8/6 3:37

  • Dave_L

  • XOOPS is my life!

  • Posts: 2277

  • Since: 2003/11/7


I think your suggestion makes sense. Not everyone could do that, though. Some server configurations might not allow it.

I use an .htaccess file to protect mainfile.php:
<Files "mainfile.php">
Deny from all
Files>


But locating the sensitive information outside the web document root is better.
3
Darrell3831
Re: Security Question

  • 2004/8/6 5:59

  • Darrell3831

  • Just popping in

  • Posts: 8

  • Since: 2004/8/5 1


That's great Dave,

Because I have a virtual server I do have the ability to move it outside the public_html directory structure.

Thanks for the confirmation and response!

I appreciate it.

Darrell

P.S. I've just tested it and it does work.
4
Herko
Re: Security Question

  • 2004/8/6 6:53

  • Herko

  • XOOPS is my life!

  • Posts: 4238

  • Since: 2002/2/4 1


XOOPS 2.2 will have the mainfile info put in a private directory.

Herko
5
Darrell3831
Re: Security Question

  • 2004/8/6 13:50

  • Darrell3831

  • Just popping in

  • Posts: 8

  • Since: 2004/8/5 1


That's great Herko,

Had this been in the works all along? I might have missed it somewhere else. I tried to take two days and just read before I started posting.

The non-sensitive aspects of mainfile.php could remain and optionally during installation if a site admin choose to do so the critical information itself could be stored outside the web root with an #include in mainfile.php to pull it in.

I'd consider this an advanced topic for some. It could benifit from documentation in the install script and in mainfile.php.

Thanks,
Darrell
6
tl
Re: Security Question

  • 2004/8/6 14:13

  • tl

  • Friend of XOOPS

  • Posts: 999

  • Since: 2002/6/23


In the meantime, you may want to check this out:

Move MySQL username/password out of mainfile.php
http://xoops-tips.com/modules/news/article.php?storyid=1
7
Darrell3831
Re: Security Question

  • 2004/8/6 14:38

  • Darrell3831

  • Just popping in

  • Posts: 8

  • Since: 2004/8/5 1


LOL,

Thanks tl. I had not read that before now, but it was exactly what I was talking about in this thread.

I have already implimented this on my own test site last night. (I'm evaluating XOOPS for the first time)

Darrell

Login

Register now!  |  Lost Password?

Search

Advanced Search

Recent Posts

Who's Online

444 user(s) are online (143 user(s) are browsing Support Forums)

Members: 0

Guests: 444

more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Aug 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits