1
danielh2o
mainfile.php secure?
  • 2004/12/13 6:12

  • danielh2o

  • Just popping in

  • Posts: 47

  • Since: 2004/10/19


xoops root's mainfile.php hardcoded DB username & password for DB connection, but it is disclosing sensitive info.!

Only OS's file-system access right (e.g. chmod) to keep this file safe for outsider, is it really safe?!

Any security comments/suggestions about this?

Any alternatives?

2
jdseymour
Re: mainfile.php secure?

You want to make the file unreadable to prying eyes- chmod 444.

Also see this faq:

https://xoops.org/modules/smartfaq/faq.php?faqid=286

3
danielh2o
Re: mainfile.php secure?
  • 2004/12/13 8:29

  • danielh2o

  • Just popping in

  • Posts: 47

  • Since: 2004/10/19


Good doc!

And how about robot/spider on the net, What XOOPS files/directories should I DISALLOW (especially mainfile.php)??


Quote:

jdseymour wrote:
You want to make the file unreadable to prying eyes- chmod 444.

Also see this faq:

https://xoops.org/modules/smartfaq/faq.php?faqid=286

4
jdseymour
Re: mainfile.php secure?

I believe that mainfile.php is also not read by spiders as the chmod 444 settings prevent it from being read. I may be mistaken so if someone knows for sure chime in please.

As far as robots.txt goes, I am still learning. Take a look at a question that I asked last night, some good information provided.

https://xoops.org/modules/newbb/viewtopic.php?topic_id=28450&forum=3

5
JMorris
Re: mainfile.php secure?
  • 2004/12/13 12:07

  • JMorris

  • XOOPS is my life!

  • Posts: 2722

  • Since: 2004/4/11


RE: mainfile.php

If you're paranoid about sercurity, you may want to take a look at the Xoops Protector module. You'll need to do some mild hacking to install it, but it will protect the contents of the mainfile.php.

RE: Robots.txt

The default robots.txt file is fine the way it is for *most* installations. The only time you should ever have to chage that file is if you install piCal or if you just don't want search engines to index certain areas of your site.

The reason you want to disallow access to piCal is because the spiders will each up all your bandwidth searching through the calendars internal links month by month. To disallow piCal, just add the following to robots.txt:

Disallow: /modules/piCal/

To disallow access to any other module on your site, use the same format, just replace piCal with the module name you wish to deny access to.

ex:
Disallow: /modules/newbb/

Hope this helps.

6
DonXoop
Re: mainfile.php secure?

The mainfile.php can't be read by a browser call (try it). It doesn't output anything. If someone gets access to the server or puts in a script that can read arbitrary files you have problems.

If they do get the info then they still need access to the db server which should never be allowed from the internet anyway. It would likely be someone with access to your server which means you already have a bigger problem.

Besides all the other security ideas you can also prevent attempts at reading the file with a line in your server config or .htaccess file:
Quote:


Order allow,deny
Deny from all


7
danielh2o
Re: mainfile.php secure?
  • 2004/12/13 15:32

  • danielh2o

  • Just popping in

  • Posts: 47

  • Since: 2004/10/19


Quote:

JMorris wrote:
RE: mainfile.php

If you're paranoid about sercurity, you may want to take a look at the Xoops Protector module. You'll need to do some mild hacking to install it, but it will protect the contents of the mainfile.php.



Installed this Protector module, but I cannot understand what it does? But what I need to 'hack?' to protect the content of mainfile.php?

Moreover, don't know why I cannot register at peak.ne.jp, cannot ask them. I found another problems related to peak's module too!
https://xoops.org/modules/newbb/viewtopic.php?topic_id=28384&forum=28

8
danielh2o
Re: mainfile.php secure?
  • 2004/12/13 15:42

  • danielh2o

  • Just popping in

  • Posts: 47

  • Since: 2004/10/19


Quote:

DonXoop wrote:
The mainfile.php can't be read by a browser call (try it). It doesn't output anything. If someone gets access to the server or puts in a script that can read arbitrary files you have problems.

If they do get the info then they still need access to the db server which should never be allowed from the internet anyway. It would likely be someone with access to your server which means you already have a bigger problem.

Besides all the other security ideas you can also prevent attempts at reading the file with a line in your server config or .htaccess file:
Quote:


Order allow,deny
Deny from all




In my case, need to use phpMyadmin from browser to accerss DB, so I afraid someone (can read sensitive info. from mainfile.php) can get this hole.

Do you mean putting a .htaccess file at root (with following lines) can protect the file "mainfile.php"?

Order allow,deny
Deny from all


What is the meaning of:
1)Order allow,deny
2)Deny from all

9
JMorris
Re: mainfile.php secure?
  • 2004/12/13 15:59

  • JMorris

  • XOOPS is my life!

  • Posts: 2722

  • Since: 2004/4/11


Did you read the instructions? They are clearly stated on Peak's site and in the README. If you use Windows, you'll need to right-click on the included readme file and select open, when prompted, choose "Select the program from a list" and use either notepad or wordpad to open the file.

The problems you are having that you mentioned in the other thread have nothing to do with Protector. I gave you what help I could in the other thread. There is a ton of documentation on this site and the Documentation site on how to work with templates.

I cannot answer your question about registration at peak.ne.jp. I just registered with no problems. May I suggest emailling the Admin?

Quote:
What is the meaning of:
1)Order allow,deny
2)Deny from all


Order allow,deny = Apache webserver's rules for listing access permissions.

Deny from all = Nobody is allowed access.

10
danielh2o
Re: mainfile.php secure?
  • 2004/12/13 16:23

  • danielh2o

  • Just popping in

  • Posts: 47

  • Since: 2004/10/19


Yes, I'd followed the README once installed.
I misunderstand that your Quote:
You'll need to do some mild hacking to install it, but it will protect the contents of the mainfile.php.
is asking me to do some other(hack) before...

Moreover, I still don't understand HOW it can protect mainfile.php, is it the lines for precheck does protect it, how? do you know their logic?

Login

Who's Online

322 user(s) are online (255 user(s) are browsing Support Forums)


Members: 0


Guests: 322


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits