I think people must delete develop folder

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
ICMafia
Registered User
Posts: 114
Joined: Thu Dec 13, 2001 5:19 pm
Contact:

Post by ICMafia » Wed Jan 16, 2002 7:03 pm

Code: Select all

<Limit GET>
order deny,allow
deny from all
allow from 0.0.0.0
</Limit>
where 0.0.0.0 is your IP or dns I do away with silly passwords, only if they share my IP can they get on!!!
It helps if you have an ISP who's dns is uncommon OR if you have a fixed IP. Used in conjusnction with .htpasswd its very very secure. Oh chmod htaccss at like 444 as well!!!!

User avatar
tanis
Registered User
Posts: 66
Joined: Fri Aug 10, 2001 1:20 pm
Location: Bergamo, Italy
Contact:

Post by tanis » Wed Jan 16, 2002 7:17 pm

ICMafia wrote: are all deleted, rc2 has no deveper folder anyway, config.php is chmodded to 444 or 644 (forget) and I've htaccessed the admin folder. I think its reasonably secure.


444 is readable by everyone.. so anyone who has an account on your machine can read your database login and password. I'd rather chown config.php to the owner of the apache process and make it 400.

ICMafia
Registered User
Posts: 114
Joined: Thu Dec 13, 2001 5:19 pm
Contact:

Post by ICMafia » Wed Jan 16, 2002 7:38 pm

400 gives me a 403 error
404 works though!

ICMafia
Registered User
Posts: 114
Joined: Thu Dec 13, 2001 5:19 pm
Contact:

Post by ICMafia » Wed Jan 16, 2002 7:43 pm

grr
config.php is fine with 400
but .htaccess needs to be 404

Anyway I think its secure!!!

User avatar
tanis
Registered User
Posts: 66
Joined: Fri Aug 10, 2001 1:20 pm
Location: Bergamo, Italy
Contact:

Post by tanis » Wed Jan 16, 2002 7:45 pm

Why should .htaccess be 404?? It should be fine with 400.

hsim
Registered User
Posts: 1554
Joined: Tue Oct 23, 2001 9:39 pm
Contact:

Post by hsim » Wed Jan 16, 2002 9:32 pm

maybe because Apache needs to read it and it is running as nobody :) but hey, except you build security holes into your scripts, Apache should protect your .ht* documents from being read
email me: hsim at gmx.li

User avatar
tanis
Registered User
Posts: 66
Joined: Fri Aug 10, 2001 1:20 pm
Location: Bergamo, Italy
Contact:

Post by tanis » Wed Jan 16, 2002 9:41 pm

wouldn't it be better to chown the file to nobody and make it accessible in read mode by that user only?

ICMafia
Registered User
Posts: 114
Joined: Thu Dec 13, 2001 5:19 pm
Contact:

Post by ICMafia » Thu Jan 17, 2002 12:16 pm

anyway protecting config.php further
surely the config file could be moved to a new directory "locked" which can be fuly htaccessed .. if so how many files would need adjusting to make sure the board still worked>

User avatar
SHS`
Former Team Member
Posts: 6615
Joined: Wed Jul 04, 2001 9:13 am
Location: Yellow Beach, Nine Dragons, Hong Kong
Name: Jonathan Stanley
Contact:

Post by SHS` » Thu Jan 17, 2002 1:15 pm

ICMafia wrote: anyway protecting config.php further
surely the config file could be moved to a new directory "locked" which can be fuly htaccessed .. if so how many files would need adjusting to make sure the board still worked>


Why not move it outside of the webroot completely?? Shouldn't be too difficult as any real text editor will be able to do mass search&replace. It's just making sure everything worked afterwards. ;)

Total number of files that'll need to be modified will/should be total PHP files minus config.php minus /includes/*.php.
Jonathan “SHS`” Stanley • 史德信
Image

ICMafia
Registered User
Posts: 114
Joined: Thu Dec 13, 2001 5:19 pm
Contact:

Post by ICMafia » Thu Jan 17, 2002 1:54 pm

Only one file needs amending common.php

@include($phpbb_root_path . 'config.'.$phpEx);

that line
so to put it in a "hidden" folder edit it this:

@include($phpbb_root_path . 'hidden/config.'.$phpEx);

not sure how to edit it to put it in root of site OR some no web accsible folder

User avatar
tanis
Registered User
Posts: 66
Joined: Fri Aug 10, 2001 1:20 pm
Location: Bergamo, Italy
Contact:

Post by tanis » Thu Jan 17, 2002 2:59 pm

Code: Select all

@include($phpbb_root_path . '/home/myuser/config.'.$phpEx); 
could be ok. It all depends on the configuration of the machine you're using.. if your files are in htdocs/phpBB2, you can call it through "../../cfgfiles/config.php" for example.

mat100
Registered User
Posts: 40
Joined: Fri Nov 02, 2001 9:13 pm

Post by mat100 » Thu Jan 17, 2002 6:55 pm

look at http://hacks.phpbb.com/forums , some seem having playing with upgrade.php

Nuttzy99
Former Team Member
Posts: 4917
Joined: Fri Aug 03, 2001 7:09 am
Location: the 11th dimension
Contact:

Post by Nuttzy99 » Sun Jan 20, 2002 6:07 pm

Thanks for the .htaccess help!!!

-Nuttzy :cool:
SpellingCow.com - Free spell check service for your forums or any web form!
No Support via PM please!

Locked

Return to “2.0.x Support Forum”