Menu
▾
▴
[phpesp-dev] insecure phpesp.ini
|
From: James E. F. <jf...@ac...> - 2003-01-17 21:31:56
|
Initially my feeling was that phpESP should be installed somewhere outside of the web accessible part of your filesystem. This would ensure that phpESP.ini would not be compromised. However it seems many people can not understand how to do this, and many can not do so because they have to deal with open_basedir restrictions from their hosting service. In light of this, I am willing to change the extension. The change would be to rename phpESP.ini to phpESP.ini.php. I would like the developers to vote on this (-1/0/+1). This also brings up an important point about mysql security. If you are concerned about your database passwords, then I suggest you read the mysql manual on permissions. The mysql security model allows restricting access based on IP addresses, usename/password, database, and actions. My mysql server uses phpesp with the default password (phpesp), and it doesn't matter that I tell you that because the restrictions on hostnames, databases, and permissions on that account prevent anyone from doing damage. Anyone administering a mysql server should RTFM. -James ---------- Forwarded message ---------- Date: Fri, 17 Jan 2003 16:45:39 +0100 From: fl...@gm... Subject: Re: [phpesp-dev] themes when embedding hi and happy new year! i have a really unnice message: my server let open port 8080 an with that and misconfiguration all websurfer can look in my phpesp ini wich is bloody uncool! so there is the need to change is to ext.php! i think... when php crashes then it´s the only point to have a chance to look in a php file otherwise no! is there any chance to do is or do i have to change it by myself?....... (bad on upgardes) kind regards flobee |
