Menu
▾
▴
Re: [phpesp-dev] insecure phpesp.ini
|
From: <fl...@gm...> - 2003-01-18 19:36:59
|
that access was allowed on my problem with my ISP! thats why i report to be changed ----- Original Message ----- From: "Moshe Weitzman" <wei...@te...> To: <php...@li...> Sent: Saturday, January 18, 2003 5:20 PM Subject: Re: [phpesp-dev] insecure phpesp.ini Another open source project I know (Drupal) keeps their ini file in the web accessible directory but blocks it via .htaccess rule. Here is the rule: # Protect files and directories from prying eyes: <Files ~ "(\.(conf|inc|module|pl|sh|sql|theme)|Entries|Repositories|Root|scripts|upda tes)$"> order deny,allow deny from all </Files> Users of non apache web servers are warned of risks. Christopher Zorn wrote: > -1 for me. I think it should stay in a none web accessible directory. > > > On Fri, Jan 17, 2003 at 04:31:54PM -0500, James E. Flemer wrote: > >>Initially my feeling was that phpESP should be installed >>somewhere outside of the web accessible part of your >>filesystem. This would ensure that phpESP.ini would not be >>compromised. However it seems many people can not >>understand how to do this, and many can not do so because >>they have to deal with open_basedir restrictions from their >>hosting service. In light of this, I am willing to change >>the extension. The change would be to rename phpESP.ini to >>phpESP.ini.php. I would like the developers to vote on >>this (-1/0/+1). >> >>This also brings up an important point about mysql >>security. If you are concerned about your database >>passwords, then I suggest you read the mysql manual on >>permissions. The mysql security model allows restricting >>access based on IP addresses, usename/password, database, >>and actions. My mysql server uses phpesp with the default >>password (phpesp), and it doesn't matter that I tell you >>that because the restrictions on hostnames, databases, and >>permissions on that account prevent anyone from doing >>damage. Anyone administering a mysql server should RTFM. >> >>-James >> >>---------- Forwarded message ---------- >>Date: Fri, 17 Jan 2003 16:45:39 +0100 >>From: fl...@gm... >>Subject: Re: [phpesp-dev] themes when embedding >> >>hi and happy new year! >> >>i have a really unnice message: my server let open port 8080 an with that >>and misconfiguration all websurfer can look in my phpesp ini wich is bloody >>uncool! >>so there is the need to change is to ext.php! i think... when php crashes >>then it´s the only point to have a chance to look in a php file otherwise >>no! >>is there any chance to do is or do i have to change it by myself?....... >>(bad on upgardes) >> >>kind regards flobee >> >> >> >>------------------------------------------------------- >>This SF.NET email is sponsored by: Thawte.com - A 128-bit supercerts will >>allow you to extend the highest allowed 128 bit encryption to all your >>clients even if they use browsers that are limited to 40 bit encryption. >>Get a guide here:http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0030en >>_______________________________________________ >>phpESP-devel mailing list >>php...@li... >>https://lists.sourceforge.net/lists/listinfo/phpesp-devel >> > > > > ------------------------------------------------------- > This SF.NET email is sponsored by: Thawte.com - A 128-bit supercerts will > allow you to extend the highest allowed 128 bit encryption to all your > clients even if they use browsers that are limited to 40 bit encryption. > Get a guide here:http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0030en > _______________________________________________ > phpESP-devel mailing list > php...@li... > https://lists.sourceforge.net/lists/listinfo/phpesp-devel ------------------------------------------------------- This SF.NET email is sponsored by: Thawte.com - A 128-bit supercerts will allow you to extend the highest allowed 128 bit encryption to all your clients even if they use browsers that are limited to 40 bit encryption. Get a guide here:http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0030en _______________________________________________ phpESP-devel mailing list php...@li... https://lists.sourceforge.net/lists/listinfo/phpesp-devel |
