Saving config.php in a non web directory

Posted: Fri Jan 31, 2003 4:27 pm

I read about the "boys from brazil" hacking nuke sites and the vulnerability of the config.php file in this hacking of nuke sites. Could saving the config.php file in a non web viewable directory increase site security, and if I save it in a private directory what files do I have to modify?

Nuke Cops Founder Joined: Nov 14, 2002 Posts: 5939

If you do move it you will have to modify pretty much all of Nuke's files. That's just a 'guess' right now. If you have Nuke 6.0 or higher, then the file doesn't need to have write permission.

Posted: Sat Feb 01, 2003 10:16 am

Would saving the config.php file in a nonweb directory prevent the hack that these 'boys from brazil' did, that compromised the database information?

As far as editing all of the nuke files, I looked at admin.php and noticed that this file, as well as all of the other ones I checked in the root directory of nuke, (I didn't check all of them), had a line of:

require_once ("mainfile.php");

and mainfile.php has the line:

require_once("config.php");

So it would seem to me, (and I'm the first to admit my coding shortcomings and lack of real in depth research into all of the files) that if you changed the require_once("config.php") in mainfile.php, to point to a non web directory, that it would be included into the rest of the routines through that require statement in mainfile.php.
That's the reason I asked the experts, to save the time looking through all of the code.
It concerns me because access to config.php also accesses the user name and password to the database. That could lead to some serious compromises in security.
The NSNCart program, currently under development, saves bank routing information and credit card info unencrypted in the database, and before I use this module and put any customer's information in the database, I want to make sure that it is as secure as it can be. Or I will be searching for some other means of e-commerce. We'll wait and see. NSN advised that encryption is on their development list for the Cart Program.
Appreciate the quick response, and hope someone has the answer to whether or not saving the config.php file will prevent this recent hack.

Nuke Cops Founder Joined: Nov 14, 2002 Posts: 5939

You certainly should wait for a well established encrypted shopping cart system. I'm a big buff on security, but I'm not willing to put the time and effort in dealing with that kind of sensitive data. I'm sure you read occasionnaly that even big ecommerce sites get hacked into.

As for moving the config.php to a non web dir and having it work... would that really stop someone from accessing the file if the server is still able to?

Posted: Mon Feb 03, 2003 6:31 am

No, I realize that someone with server priveleges would still be able to look, it's just that it would reduce the numbers by 10 to the 7th. Francisco mentioned it in one of the installation documents, but I just haven't found much information on any of the Nuke support sites about someone doing it, or what would be required.

Nuke Soldier Joined: Jan 30, 2003 Posts: 15 Location: USA

if you make a config.php file with only this in it:

<?php include("/pathto/nonweb/config.php"); ?>

put your real config the path specified, and this config in your nuke folder.

I havent tried relative paths but i suppose they would work just as well.

<?php include("../../nonwebfolder/config.php"); ?>

Im not sure to what degree I am more secure like this but every little bit helps.

Joined: Jan 31, 2004 Posts: -88

ur not any more secure with that method than actually having hte config.php in the root, cause if the hackers hack ur site and replace that file, ur still gonna have problems.

Artificialintel

Nuke Soldier Joined: Jan 30, 2003 Posts: 15 Location: USA

Does it atleast help keep em from gettin my database pass?

Joined: Jan 31, 2004 Posts: -88

they can't get it anyway cause if u try to access that file directly, it just directs u to the index.php file, so they get nothin

Artificialintel

Nuke Soldier Joined: Jan 30, 2003 Posts: 15 Location: USA

So this Brazilian problem, is it only an issue if you have the nukebrowser?

Nuke Cops Founder Joined: Nov 14, 2002 Posts: 5939

uglymonk wrote:

Does it atleast help keep em from gettin my database pass?

AI is right. Best bet is to actually install this into your .htaccess file:

<Files ~ "\config.php$">
deny from all
</Files>

That will not allow the file to be called from the browser.

Nuke Cops Founder Joined: Nov 14, 2002 Posts: 5939

uglymonk wrote:

So this Brazilian problem, is it only an issue if you have the nukebrowser?

Not only nukebrowser related, read this:

http://www.computercops.biz/article2088.html&mode=flat&order=0&thold=0

Nuke Soldier Joined: Jan 30, 2003 Posts: 15 Location: USA

can anaylize tell what version of apache my webhost is runnung? if not where can i find out?

Nuke Cops Founder Joined: Nov 14, 2002 Posts: 5939

I can include that in the next release.