I think people must delete develop folder

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
mat100
Registered User
Posts: 40
Joined: Fri Nov 02, 2001 9:13 pm

I think people must delete develop folder

Post by mat100 » Tue Jan 15, 2002 8:07 pm

I think people must delete develop folder, because some people can play with this files in order to damage the forums

User avatar
mk_jnr
Registered User
Posts: 170
Joined: Sat Sep 29, 2001 7:16 pm
Location: United Kingdom
Contact:

Post by mk_jnr » Tue Jan 15, 2002 8:13 pm

hmm, good point...
mk_jnr
PHP Newbie:)
Image

Pit
Security Consultant
Posts: 2056
Joined: Sat Oct 13, 2001 8:17 pm
Location: kµlt øƒ Ø™
Contact:

Post by Pit » Tue Jan 15, 2002 8:14 pm

Hum, yeah, I know...now everyone else knows as well. :roll:
Image
super fun rainbow colour sig

hsim
Registered User
Posts: 1554
Joined: Tue Oct 23, 2001 9:39 pm
Contact:

Post by hsim » Tue Jan 15, 2002 8:15 pm

afaik, the develop/ folder is only included with the cvs. I've protected mine with .htaccess technology. Maybe some scr!pt kiddies outta there will now start breaking into/destroying phpBB2 cvs installations (if that's possible with the develop tools)
email me: hsim at gmx.li

Pit
Security Consultant
Posts: 2056
Joined: Sat Oct 13, 2001 8:17 pm
Location: kµlt øƒ Ø™
Contact:

Post by Pit » Tue Jan 15, 2002 8:32 pm

The only one that can physically destroy data is password protected. The other one, I will not comment on, we all know what it is, especially scotshin.
Image
super fun rainbow colour sig

hsim
Registered User
Posts: 1554
Joined: Tue Oct 23, 2001 9:39 pm
Contact:

Post by hsim » Tue Jan 15, 2002 8:41 pm

urgh... benchmark :roll: 8O
email me: hsim at gmx.li

scotshin7
Registered User
Posts: 328
Joined: Thu Jul 19, 2001 2:08 am
Location: Somewhere in the space/time continuum
Contact:

Post by scotshin7 » Tue Jan 15, 2002 11:11 pm

It's okay now, /develop/ is gone now, ask psoTFX or even put it into the url...
Richard S.: phpBB Groupie
Always Image Search before asking questions!

Pit
Security Consultant
Posts: 2056
Joined: Sat Oct 13, 2001 8:17 pm
Location: kµlt øƒ Ø™
Contact:

Post by Pit » Tue Jan 15, 2002 11:14 pm

But is it out of CVS? And how many people will actually bother to check and delete files that are not in the repository each time?
Image
super fun rainbow colour sig

scotshin7
Registered User
Posts: 328
Joined: Thu Jul 19, 2001 2:08 am
Location: Somewhere in the space/time continuum
Contact:

Post by scotshin7 » Tue Jan 15, 2002 11:24 pm

And there's a MUCH more dangerous one - nuke_db.php!!!
Richard S.: phpBB Groupie
Always Image Search before asking questions!

Pit
Security Consultant
Posts: 2056
Joined: Sat Oct 13, 2001 8:17 pm
Location: kµlt øƒ Ø™
Contact:

Post by Pit » Tue Jan 15, 2002 11:31 pm

Yes...that being the aforementioned password-requiring script.
Image
super fun rainbow colour sig

mat100
Registered User
Posts: 40
Joined: Fri Nov 02, 2001 9:13 pm

Post by mat100 » Wed Jan 16, 2002 2:56 pm

And you have forgoten upgrade.php in the main directory. With it you can see all the email.. of the user and damage some tables...

SamG
Former Team Member
Posts: 3221
Joined: Fri Aug 31, 2001 6:35 pm
Location: Beautiful Northwest Lower Michigan
Name: Sam Graf

Post by SamG » Wed Jan 16, 2002 3:01 pm

But of course since we are all good boys and girls and pay attention to the path set before us by the developers, this stuff is essentially non-issue until final release. Hackers are going to have a harder time finding a test forum, and if they do find it, the loss is not great, and we do what it takes to secure our test.

It's the content and instructions included with the final release that we will need to be concerned about, yes?

ICMafia
Registered User
Posts: 114
Joined: Thu Dec 13, 2001 5:19 pm
Contact:

Post by ICMafia » Wed Jan 16, 2002 5:46 pm

I use RC2 on a live site, only thing is when RC3 or final version comes out I'll play with the upgrade to make sure it all goes swimmingly well on my other site (test site) to make sure it will be painless
install.php
upgrade.php
upgrade_to_rc1.php
are all deleted, rc2 has no deveper folder anyway, config.php is chmodded to 444 or 644 (forget) and I've htaccessed the admin folder. I think its reasonably secure.

Nuttzy99
Former Team Member
Posts: 4917
Joined: Fri Aug 03, 2001 7:09 am
Location: the 11th dimension
Contact:

Post by Nuttzy99 » Wed Jan 16, 2002 6:06 pm

Could someone quote the lines they put in the .htaccess file for the admin folder. I know this is a lame request (b/c I should know this!!!) but I figured someone could do it real quick.

Thanks!
-Nuttzy :cool:
SpellingCow.com - Free spell check service for your forums or any web form!
No Support via PM please!

hsim
Registered User
Posts: 1554
Joined: Tue Oct 23, 2001 9:39 pm
Contact:

Post by hsim » Wed Jan 16, 2002 6:22 pm

just for you :P

.htaccess

Code: Select all

AuthType Basic
AuthName "not for ya"
AuthUserFile /path/to/my/.htpasswd
Require valid-user
email me: hsim at gmx.li

Locked

Return to “2.0.x Support Forum”