Register Members List Search Today's Posts Mark Forums Read

Reply
 
Article Options
A mere config.php encoding is useless
Milad
Join Date: May 2005
Posts: 663

Syro
by Milad Milad is offline 05 Jun 2006

Some developers say: "To protect yourself from hackers attacks, encode your config.php" and some other advices.

The mere encoding that is applied to config.php isn't enough.

Because if the hacker has the ability to (create or edit) and excute php files on your filesystem, he would be able to read your config.php variables even if config.php is encoded.

This is very simple and powerful script, it reads your encoded config.php, treats the $config array, and dissplays the variables in nice table.


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

The output will be like this:


This doesn't mean that vBulletin is insecure, this can be applied to any script.

The solution is at your host, so choose an excellent host.

Don't forget to protect your directories.

Last edited by Milad; 05 Jun 2006 at 16:38..
Views: 3105
Reply With Quote
Comments
  #2  
Old 05 Jun 2006, 16:43
Hellcat Hellcat is offline
 
Join Date: May 2003
Real name: Michael
Originally Posted by Milad
Because if the hacker has the ability to (create or edit) and excute php files on your filesystem, [...]
....you have a problem anyway!

Noone should be able to create random files on your filesystem in the first place.
This can only be done via pretty unsecure uploading scripts or such....
Always be carfull with those!
__________________
<?php eval('$post["signature"] = "' . fetch_template('hellcats_sig') . '";'); ?>

Check this:
[ WMail - vBulletin WebMailer || PM-Auto-Reply || Countdown-Timer for signature ] * [ more ]
[ Realtime Page Compressor || The allmighty IRC /me action ]
Reply With Quote
  #3  
Old 05 Jun 2006, 18:33
HaMaDa4eVeR's Avatar
HaMaDa4eVeR HaMaDa4eVeR is offline
 
Join Date: Jun 2004
Real name: Mohammed
Originally Posted by Milad

The solution is at your host, so choose an excellent host.

Don't forget to protect your directories.
you're right you can easly print the value of config file

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

and you will get the name of db.

but happience if you change the name of the variable $config,
rename $config['Database']['dbname']; to $myconfig['Database']['dbname'];
and change the class files

but what's the solution !!!

by anther meaning, what do you meant "excellent host",
explain more if you can

thanks

Last edited by HaMaDa4eVeR; 05 Jun 2006 at 18:36.
Reply With Quote
  #4  
Old 06 Jun 2006, 11:36
Milad's Avatar
Milad Milad is offline
 
Join Date: May 2005
Real name: Milad
Hellcat said : "This can only be done via pretty unsecure uploading scripts or such...."

And if your host is not profissional, you will face some problems with him.

A friend of mine, had givem me my config.php, and I was confused about this, I don't have any upload script on my site but ecdownloads only, and it's secure.

I don't allow members to upload files at risk rates.

He could to create files in my active 777 directories.

So I moved to a new host. and protected my active 777 directories.

Thanks
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Article Options

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 05:04.

Layout Options | Width: Wide Color: