security

rom · 02-24-2004, 10:02 AM

I wanted to confirm that I have set-up security correctly on my site. My server runs Apache on Linux, not safe-mode enabled.

1. I have used htaccess on the admin directory for PhpDig and on the PhpMyAdmin directory, but isn't it possible for an unauthorized user to get access to the user name and password in the connect.php and config.php files in the includes directory? I have set the Chmod on the includes directory to 755.

2. Also, the documentation for PhpDig says that: "Password protected sites can be indexed giving to the robot a username and valid password.
Be Careful ! This feature could permit to an unauthorized user reading protected informations. We recommend to create a specific instance of PhpDig, protected by the same credentials as the restricted site. You have to create a special account for the robot too." Does this mean that someone can obtain the user name and password for my PhpMyAdmin directory?

Thanks very much.

Charter · 02-28-2004, 04:21 PM

Hi. Let's assume that the server is secure and no files on your account have vulnerabilities. With these assumptions, there could be a remote possibility that a user on a shared account could access another account on the same machine, but this would depend on setup. The 777 permission of the includes directory is for using install.php, but once done, the directory can be 755 permission and install.php can be removed. The documentation refers to if you should happen to crawl a link like http://username:password@www.domain.com which would pass the userame and password in plain text.

02-24-2004, 10:02 AM	#1
rom Green Mole Join Date: Jan 2004 Posts: 25	security I wanted to confirm that I have set-up security correctly on my site. My server runs Apache on Linux, not safe-mode enabled. 1. I have used htaccess on the admin directory for PhpDig and on the PhpMyAdmin directory, but isn't it possible for an unauthorized user to get access to the user name and password in the connect.php and config.php files in the includes directory? I have set the Chmod on the includes directory to 755. 2. Also, the documentation for PhpDig says that: "Password protected sites can be indexed giving to the robot a username and valid password. Be Careful ! This feature could permit to an unauthorized user reading protected informations. We recommend to create a specific instance of PhpDig, protected by the same credentials as the restricted site. You have to create a special account for the robot too." Does this mean that someone can obtain the user name and password for my PhpMyAdmin directory? Thanks very much.

02-28-2004, 04:21 PM	#2
Charter Head Mole Join Date: May 2003 Posts: 2,539	Hi. Let's assume that the server is secure and no files on your account have vulnerabilities. With these assumptions, there could be a remote possibility that a user on a shared account could access another account on the same machine, but this would depend on setup. The 777 permission of the includes directory is for using install.php, but once done, the directory can be 755 permission and install.php can be removed. The documentation refers to if you should happen to crawl a link like http://username:password@www.domain.com which would pass the userame and password in plain text. __________________ Responses are offered on a voluntary if/as time is available basis, no guarantees. Double posting or bumping threads will not get your question answered any faster. No support via PM or email, responses not guaranteed. Thank you for your comprehension.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Security issues	Niele	How-to Forum	1	04-25-2005 10:52 AM
Security Risk: allow_url_fopen = ON	Rolandks	Troubleshooting	0	10-07-2004 08:32 AM
got hacket, how? security hole?	Killersushi	Troubleshooting	2	07-12-2004 08:45 PM
How to solve :set_time_limit() has been disabled for security	netall	Troubleshooting	1	02-28-2004 05:12 PM
Newbie with a problem with the security code	Mayday	Troubleshooting	0	02-25-2004 04:27 PM