How to disable creating cache/data_global.php

Get help with installation and running phpBB 3.0.x here. Please do not post bug reports, feature requests, or MOD-related questions here.
Anti-Spam Guide
Forum rules
END OF SUPPORT: 1 January 2017 (announcement)
Locked
Durbatuluk
Registered User
Posts: 106
Joined: Thu Dec 29, 2005 8:22 pm

How to disable creating cache/data_global.php

Post by Durbatuluk » Mon Feb 25, 2013 6:35 pm

Hello,
It just get to my notice that there is this file creating somehow automatically with important passwords for example to the main email account of the forum. Is there a way how to disable it? Why is this file creating itself in the first place?

Having Phpbb 3.0.11 on Linux

User avatar
Oyabun1
Former Team Member
Posts: 23162
Joined: Sun May 17, 2009 1:05 pm
Location: Australia
Name: Bill

Re: How to disable creating cache/data_global.php

Post by Oyabun1 » Mon Feb 25, 2013 10:00 pm

Durbatuluk wrote:Is there a way how to disable it?
No
Durbatuluk wrote:Why is this file creating itself in the first place?
It's a cache of frequently accessed data. If the data wasn't cached it would greatly increase the number and frequency of database queries, slowing access, and possibly leading to problems from increased database load.

Unless something is seriously wrong with the the security on your server the file cannot be accessed directly. Try navigating to it with your web browser, you should get a 403 Access forbidden response.
                      Support Request Template
3.0.x: Knowledge Base Styles Support MOD Requests
3.1.x: Knowledge BaseStyles SupportExtension Requests

User avatar
Oyabun1
Former Team Member
Posts: 23162
Joined: Sun May 17, 2009 1:05 pm
Location: Australia
Name: Bill

Re: How to disable creating cache/data_global.php

Post by Oyabun1 » Mon Feb 25, 2013 10:18 pm

Actually, you can disable data_global.php being created, but as mentioned it will increase the load on your board and isn't necessary for security.

Open /config.php

Find

Code: Select all

$acm_type = 'file';
Replace with

Code: Select all

$acm_type = 'null';
                      Support Request Template
3.0.x: Knowledge Base Styles Support MOD Requests
3.1.x: Knowledge BaseStyles SupportExtension Requests

User avatar
AmigoJack
Registered User
Posts: 5604
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: How to disable creating cache/data_global.php

Post by AmigoJack » Tue Feb 26, 2013 8:19 am

Durbatuluk wrote:... there is this file ... with important passwords ...
That would also be /config.php - how do you plan on "securing" that?
The worst thing about censorship is ███████████
Affin wrote:
Tue Nov 20, 2018 9:51 am
The problem is probably not my English but you do not want to understand correctly.
...
We will not come anybody anyway, nevertheless, it's best to shit this.

Durbatuluk
Registered User
Posts: 106
Joined: Thu Dec 29, 2005 8:22 pm

Re: How to disable creating cache/data_global.php

Post by Durbatuluk » Tue Feb 26, 2013 9:25 am

If anyone is somehow able to run his own PHP script/code on any server (which is currently opensource application problem due to security bugs) this file can be easily read no metter the attributes (0600). And if this information is stored in the database, then just get access to it (ie read access data stored somewhere in the configuration), and the data as well. No, a combination of open source applications and storage accesses in a readable form is not really safe. So is there any way to change that? Even in config.php?

User avatar
Oyabun1
Former Team Member
Posts: 23162
Joined: Sun May 17, 2009 1:05 pm
Location: Australia
Name: Bill

Re: How to disable creating cache/data_global.php

Post by Oyabun1 » Tue Feb 26, 2013 9:50 am

If someone gains access to your server it wouldn't matter whether passwords were visible or not, they could just add scripts or modify existing scripts to gain access to the database because the phpBB code base needs to be able to connect to the database to function. They could in a similar way do whatever else they wanted on your server.

However, phpBB3 has never had a successful security breach, and is used by millions of people, so you may be worrying unnecessarily.
                      Support Request Template
3.0.x: Knowledge Base Styles Support MOD Requests
3.1.x: Knowledge BaseStyles SupportExtension Requests

Durbatuluk
Registered User
Posts: 106
Joined: Thu Dec 29, 2005 8:22 pm

Re: How to disable creating cache/data_global.php

Post by Durbatuluk » Tue Feb 26, 2013 10:19 am

Phpbb system is the only thing on my server and still atacker was able to get the access information on my email account which is set in phpbb phorum settings and when I look at the system files I see file cache/data_global.php containing the password to my email which i never created, so that is why I was shocked in first place this information is somewhere provided/created in readable/text form and wondered why the hell ...

User avatar
AmigoJack
Registered User
Posts: 5604
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: How to disable creating cache/data_global.php

Post by AmigoJack » Tue Feb 26, 2013 10:37 am

Durbatuluk wrote:the only thing on my server
Implying "server" is no combination of HTTP and DBMS and an operating system software which may have security holes.
Durbatuluk wrote:access information on my email account
  1. Is your e-mail address only known to the phpBB installation?
  2. Do you use a unique password or do you use the same password elsewhere?
The worst thing about censorship is ███████████
Affin wrote:
Tue Nov 20, 2018 9:51 am
The problem is probably not my English but you do not want to understand correctly.
...
We will not come anybody anyway, nevertheless, it's best to shit this.

Durbatuluk
Registered User
Posts: 106
Joined: Thu Dec 29, 2005 8:22 pm

Re: How to disable creating cache/data_global.php

Post by Durbatuluk » Tue Feb 26, 2013 11:10 am

Password is only known to the phpbb installation ... unique password only used there in this particular email address. I own Linux based Ubuntu server latest apache, php and mysql.

User avatar
AmigoJack
Registered User
Posts: 5604
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: How to disable creating cache/data_global.php

Post by AmigoJack » Tue Feb 26, 2013 11:29 am

Have you checked FTP logon logs? I mean we're already talking halfway outside phpBB scope: yes, there are two passwords which can be read in plaintext - however, do you have a better approach on how PHP would be able to get the credentials?
The worst thing about censorship is ███████████
Affin wrote:
Tue Nov 20, 2018 9:51 am
The problem is probably not my English but you do not want to understand correctly.
...
We will not come anybody anyway, nevertheless, it's best to shit this.

User avatar
Lumpy Burgertushie
Registered User
Posts: 66564
Joined: Mon May 02, 2005 3:11 am
Contact:

Re: How to disable creating cache/data_global.php

Post by Lumpy Burgertushie » Tue Feb 26, 2013 1:26 pm

they did not get into your server via phpbb. nobody has managed to do it yet.

however, once someone gets into your server, there is not program running on it that is safe.

if you make things unaccessible to people with access to the server then you are going to be one of those people with no access.

you need to worry about how they got the access to your files instead of worrying about what they see once they get there.


robert
I'm baaaaaccckkkk. still doing work on donation basis. PM your needs.

Premium phpBB 3.2 Styles by PlanetStyles.net

If a tree falls in the forest and nobody is there, does it make a sound?

Durbatuluk
Registered User
Posts: 106
Joined: Thu Dec 29, 2005 8:22 pm

Re: How to disable creating cache/data_global.php

Post by Durbatuluk » Tue Feb 26, 2013 4:48 pm

True ... But how can I know who got into my server? From where?

User avatar
Lumpy Burgertushie
Registered User
Posts: 66564
Joined: Mon May 02, 2005 3:11 am
Contact:

Re: How to disable creating cache/data_global.php

Post by Lumpy Burgertushie » Tue Feb 26, 2013 4:53 pm

Durbatuluk wrote:True ... But how can I know who got into my server? From where?
that would be something to take up with your host and/or any other software you are running on the server that may or may not be up to date or have security issues.

in your case, it sounds like someone simply had access to your email account , not to the server or phpbb.

why do you think someone hacked into anything?

robert
I'm baaaaaccckkkk. still doing work on donation basis. PM your needs.

Premium phpBB 3.2 Styles by PlanetStyles.net

If a tree falls in the forest and nobody is there, does it make a sound?

User avatar
Brf
Support Team Member
Support Team Member
Posts: 51824
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}
Contact:

Re: How to disable creating cache/data_global.php

Post by Brf » Tue Feb 26, 2013 4:53 pm

How do you know that someone got into your server, or email account? What did they do?

Durbatuluk
Registered User
Posts: 106
Joined: Thu Dec 29, 2005 8:22 pm

Re: How to disable creating cache/data_global.php

Post by Durbatuluk » Tue Feb 26, 2013 5:27 pm

All email account is deleted, all sent, trashed, received data suddenly gone ... The attacker even admitted he was inside and deleted everything (thats all he mentioned) - he had access information so some text-readable form and that is why i looked into phpbb files and saw this file which has password in readable form and thats how the attacked could have get the access information as only I knew them.

Locked

Return to “[3.0.x] Support Forum”