mainfile.php secure? [Q and A] - XOOPS Web Application System

XOOPS

Forum

Forum Index General Forums Community Support Modules Support Themes Support Development International Support Module Hack Reviews Theme Designer Talk

1

mainfile.php secure?

2004/12/13 6:12
danielh2o
Just popping in
Posts: 47
Since: 2004/10/19

xoops root's mainfile.php hardcoded DB username & password

for DB connection, but it is disclosing sensitive info.!

Only OS's file-system access right (e.g. chmod) to keep this file safe for outsider, is it really safe?!

Any security comments/suggestions about this?

Any alternatives?

2

Re: mainfile.php secure?

2004/12/13 6:32
jdseymour
Friend of XOOPS
Posts: 3782
Since: 2004/11/11

You want to make the file unreadable to prying eyes- chmod 444.

Also see this faq:

https://xoops.org/modules/smartfaq/faq.php?faqid=286

3

Re: mainfile.php secure?

2004/12/13 8:29
danielh2o
Just popping in
Posts: 47
Since: 2004/10/19

Good doc!

And how about robot/spider on the net, What XOOPS files/directories should I DISALLOW (especially mainfile.php)??

Quote:

jdseymour wrote:
You want to make the file unreadable to prying eyes- chmod 444.

Also see this faq:

https://xoops.org/modules/smartfaq/faq.php?faqid=286

4

Re: mainfile.php secure?

2004/12/13 10:16
jdseymour
Friend of XOOPS
Posts: 3782
Since: 2004/11/11

I believe that mainfile.php is also not read by spiders as the chmod 444 settings prevent it from being read. I may be mistaken so if someone knows for sure chime in please.

As far as robots.txt goes, I am still learning. Take a look at a question that I asked last night, some good information provided.

https://xoops.org/modules/newbb/viewtopic.php?topic_id=28450&forum=3

5

Re: mainfile.php secure?

2004/12/13 12:07
JMorris
XOOPS is my life!
Posts: 2722
Since: 2004/4/11

RE: mainfile.php

If you're paranoid about sercurity, you may want to take a look at the Xoops Protector module. You'll need to do some mild hacking to install it, but it will protect the contents of the mainfile.php.

RE: Robots.txt

The default robots.txt file is fine the way it is for *most* installations. The only time you should ever have to chage that file is if you install piCal or if you just don't want search engines to index certain areas of your site.

The reason you want to disallow access to piCal is because the spiders will each up all your bandwidth searching through the calendars internal links month by month. To disallow piCal, just add the following to robots.txt:

Disallow: /modules/piCal/

To disallow access to any other module on your site, use the same format, just replace piCal with the module name you wish to deny access to.

ex:
Disallow: /modules/newbb/

Hope this helps.

6

Re: mainfile.php secure?

2004/12/13 12:19
DonXoop
Posts: 1171
Since: 2003/11/27

The mainfile.php can't be read by a browser call (try it). It doesn't output anything. If someone gets access to the server or puts in a script that can read arbitrary files you have problems.

If they do get the info then they still need access to the db server which should never be allowed from the internet anyway. It would likely be someone with access to your server which means you already have a bigger problem.

Besides all the other security ideas you can also prevent attempts at reading the file with a line in your server config or .htaccess file:
Quote:

<Files ~ "mainfile.php">
Order allow,deny
Deny from all
</Files>

7

Re: mainfile.php secure?

2004/12/13 15:32
danielh2o
Just popping in
Posts: 47
Since: 2004/10/19

Quote:

JMorris wrote:
RE: mainfile.php

If you're paranoid about sercurity, you may want to take a look at the Xoops Protector module. You'll need to do some mild hacking to install it, but it will protect the contents of the mainfile.php.

Installed this Protector module, but I cannot understand what it does? But what I need to 'hack?' to protect the content of mainfile.php?

Moreover, don't know why I cannot register at peak.ne.jp, cannot ask them. I found another problems related to peak's module too!

https://xoops.org/modules/newbb/viewtopic.php?topic_id=28384&forum=28

8

Re: mainfile.php secure?

2004/12/13 15:42
danielh2o
Just popping in
Posts: 47
Since: 2004/10/19

Quote:

DonXoop wrote:
The mainfile.php can't be read by a browser call (try it). It doesn't output anything. If someone gets access to the server or puts in a script that can read arbitrary files you have problems.

If they do get the info then they still need access to the db server which should never be allowed from the internet anyway. It would likely be someone with access to your server which means you already have a bigger problem.

Besides all the other security ideas you can also prevent attempts at reading the file with a line in your server config or .htaccess file:
Quote:

<Files ~ "mainfile.php">
Order allow,deny
Deny from all
</Files>

In my case, need to use phpMyadmin from browser to accerss DB, so I afraid someone (can read sensitive info. from mainfile.php) can get this hole.

Do you mean putting a .htaccess file at root (with following lines) can protect the file "mainfile.php"?
<Files ~ "mainfile.php">
Order allow,deny
Deny from all
</Files>

What is the meaning of:
1)Order allow,deny
2)Deny from all

9

Re: mainfile.php secure?

2004/12/13 15:59
JMorris
XOOPS is my life!
Posts: 2722
Since: 2004/4/11

Did you read the instructions? They are clearly stated on Peak's site and in the README. If you use Windows, you'll need to right-click on the included readme file and select open, when prompted, choose "Select the program from a list" and use either notepad or wordpad to open the file.

The problems you are having that you mentioned in the other thread have nothing to do with Protector. I gave you what help I could in the other thread. There is a ton of documentation on this site and the Documentation site on how to work with templates.

I cannot answer your question about registration at peak.ne.jp. I just registered with no problems. May I suggest emailling the Admin?

Quote:

What is the meaning of:
1)Order allow,deny
2)Deny from all

Order allow,deny = Apache webserver's rules for listing access permissions.

Deny from all = Nobody is allowed access.

10

Re: mainfile.php secure?

2004/12/13 16:23
danielh2o
Just popping in
Posts: 47
Since: 2004/10/19

Yes, I'd followed the README once installed.
I misunderstand that your Quote:

You'll need to do some mild hacking to install it, but it will protect the contents of the mainfile.php.

is asking me to do some other(hack) before...

Moreover, I still don't understand HOW it can protect mainfile.php, is it the lines for precheck does protect it, how? do you know their logic?

Login

Username

Password

Remember me

Register now! | Lost Password?

Search

Advanced Search

Recent Posts

Re: Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

3/16 2:02 Mamba
Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

3/14 20:34 hnn_gerd
Re: NewBB v 5.1.0 b 6

3/7 12:07 Mamba
Re: NewBB v 5.1.0 b 6

2/23 2:57 Mamba
NewBB v 5.1.0 b 6

2/17 18:57 spierrard
Re: XOOPS 2.5.11 search user is not working

2/14 13:11 Mamba
Re: oledrion

2/14 11:29 Mamba
Re: oledrion

2/13 15:22 oswaldo
Re: oledrion

2/12 19:20 Mamba
Re: oledrion

2/12 16:02 oswaldo

Who's Online

157 user(s) are online (112 user(s) are browsing Support Forums)

Members: 0

Guests: 157

Donat-O-Meter

Stats
Goal:	$100.00
Due Date:	Apr 30
Gross Amount:	$0.00
Net Balance:	$0.00
Left to go:	$100.00

Latest GitHub Commits

{{ record.sha.slice(0, 7) }} - {{ record.commit.message | truncate }}

{{ record.commit.author.name }} {{ record.commit.author.date | formatDate }}