PDA

View Full Version : A mere config.php encoding is useless


Milad
05 Jun 2006, 15:33
Some developers say: "To protect yourself from hackers attacks, encode your config.php" and some other advices.

The mere encoding that is applied to config.php isn't enough.

Because if the hacker has the ability to (create or edit) and excute php files on your filesystem, he would be able to read your config.php variables even if config.php is encoded.

This is very simple and powerful script, it reads your encoded config.php, treats the $config array, and dissplays the variables in nice table.

// HERE IS THE PATH TO CONFIG.PHP
include('./354/includes/config.php');

echo '<table cellspacing="0" cellpadding="3" align="center" width="500" style="background: #D1D1E1; color: #000000; border: 1px solid #0B198C;">';

foreach ($config as $key => $value)
{
echo '<tr><td colspan="2" align="center" style="background: #5C7099; color: #FFFFFF; font: bold 10pt verdana, geneva;">' . $key . '</td></tr>';

foreach ($value as $key2 => $value2)
{
echo '<tr><td width="50%" style="background: #E1E4F2; color: #000000;">' . $key2 . '</td><td width="50%" style="background: #F5F5FF; color: #000000;">' . ($value2 ? $value2 : '&nbsp;') . '</td></tr>';
}
}

echo '</table>';

The output will be like this:

48895

This doesn't mean that vBulletin is insecure, this can be applied to any script.

The solution is at your host, so choose an excellent host.

Don't forget to protect your directories.

Hellcat
05 Jun 2006, 15:43
Because if the hacker has the ability to (create or edit) and excute php files on your filesystem, [...]
....you have a problem anyway!

Noone should be able to create random files on your filesystem in the first place.
This can only be done via pretty unsecure uploading scripts or such....
Always be carfull with those!

HaMaDa4eVeR
05 Jun 2006, 17:33
The solution is at your host, so choose an excellent host.

Don't forget to protect your directories.

you're right you can easly print the value of config file
echo $config['Database']['dbname'];
and you will get the name of db.

but happience if you change the name of the variable $config,
rename $config['Database']['dbname']; to $myconfig['Database']['dbname'];
and change the class files
but what's the solution !!!

by anther meaning, what do you meant "excellent host",
explain more if you can

thanks :)

Milad
06 Jun 2006, 10:36
Hellcat said : "This can only be done via pretty unsecure uploading scripts or such...."

And if your host is not profissional, you will face some problems with him.

A friend of mine, had givem me my config.php, and I was confused about this, I don't have any upload script on my site but ecdownloads only, and it's secure.

I don't allow members to upload files at risk rates.

He could to create files in my active 777 directories.

So I moved to a new host. and protected my active 777 directories.

Thanks :)