From: p d. t. <pdo...@an...> - 2003-05-17 21:39:36
|
> I've discovered something. Even with 640 permissions, that admins file is > browseable. If someone points their browser to > http://mydomain.com/squirrel/plugins/administrator/admins, the contents of > that file are readable. That seems insecure for anyone to have outside > access to read that file and learn the entry that enables Administrator > access. > > Is there a way to change path names to allow the admins file to be moved > to > somewhere outside of the web tree (outside the public_html directory). > It's > recommended that the data directory and attachments directory are placed > outside of the web tree, so I would think the same advice would apply to > the > admins file. Yes? No? How do I enable that? Mmmm. Yes. If it were a php file, you wouldn't see anything, but... to simplify the file's placement, you might simply want to place it in a subdirectory of that plugin, and also include a .htaccess file in that directory with "Deny from All" in it, assuming you are using apache. the tricky part is finding the code to modify in the plugin. I haven't messed around with that plugin at all, but a quick grep tells me that you should at least make these changes... oh wait! it looks like the plugin supports the placement of that file in the config directory. so I suggest you put it there instead and also put a .htaccess file in that directory... perhaps that'll do the job cheers, paul |