I found the config.lib.php file under config directory with 644 permissions ( -rw-r--r-- 1 root root 4319 Aug 16 16:04 config.lib.php ). That means it is world readable and it contains mysql user's password in clear text under "C_DB_PASS". Is it a security hole or it is perfectly fine? Please guide.
Thanks,
Nimesh
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thanks for reply. Well, I used the std version. I want to implement plus version now. But really don't understand how to configure it. I could not find the setup.php under the directory after unzipping it. Also the chat directory doesn't contain necessary stuff all the stuffs are scattered into root directory called 'plus'. Also, don't understand which version should I use, phpMyChat-Plus_1.90_fixed_070414 OR phpMyChat-Plus_1.90_fixed_060917. Also the fixes provided are confusing, should it be implemented after extracting the zip files? Any help would be highly appreciated.
Thanks,
Nimesh
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Well, there is an install folder into the main archive (phpMyChat-Plus_1.90_070414) - read the Instructions.txt file included in that folder. Also docs folder contains some documentation.
The archives you downloaded contain only the patched files, for those running a previous version. You won't need it if you get the latest full pack from the same download page.
For further help you can contact me on YM (ciprianmp).
Hope this helps,
Ciprian Murariu.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
As far as I tried, I couldn't retrieve nothing out of config.lib.php content. It is protected by .htaccess file, as well as several indexes that redirects. It shouldn't be readable from a remote address.
Please take your time and knowledge and try to get a word out of that file. If you/anyone else succeed, please let me know asap.
Thanks.
Ciprian M.
PS: I checked that on both versions, don't know if you're using std or plus.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi List,
I found the config.lib.php file under config directory with 644 permissions ( -rw-r--r-- 1 root root 4319 Aug 16 16:04 config.lib.php ). That means it is world readable and it contains mysql user's password in clear text under "C_DB_PASS". Is it a security hole or it is perfectly fine? Please guide.
Thanks,
Nimesh
Hi Ciprian,
Thanks for reply. Well, I used the std version. I want to implement plus version now. But really don't understand how to configure it. I could not find the setup.php under the directory after unzipping it. Also the chat directory doesn't contain necessary stuff all the stuffs are scattered into root directory called 'plus'. Also, don't understand which version should I use, phpMyChat-Plus_1.90_fixed_070414 OR phpMyChat-Plus_1.90_fixed_060917. Also the fixes provided are confusing, should it be implemented after extracting the zip files? Any help would be highly appreciated.
Thanks,
Nimesh
Well, there is an install folder into the main archive (phpMyChat-Plus_1.90_070414) - read the Instructions.txt file included in that folder. Also docs folder contains some documentation.
The archives you downloaded contain only the patched files, for those running a previous version. You won't need it if you get the latest full pack from the same download page.
For further help you can contact me on YM (ciprianmp).
Hope this helps,
Ciprian Murariu.
As far as I tried, I couldn't retrieve nothing out of config.lib.php content. It is protected by .htaccess file, as well as several indexes that redirects. It shouldn't be readable from a remote address.
Please take your time and knowledge and try to get a word out of that file. If you/anyone else succeed, please let me know asap.
Thanks.
Ciprian M.
PS: I checked that on both versions, don't know if you're using std or plus.