Move config.php out of Web Root

Temporary forum to obtain support while phpBB.com is offline.
Please use the support forum on phpBB.com
Forum rules
Temporary forum to obtain support while phpBB.com is offline.
Please use the support forum on phpBB.com
FoolishNoob
Registered User
Posts: 15
Joined: Thu Feb 05, 2009 7:39 pm

Move config.php out of Web Root

Post by FoolishNoob »

I would like to move as many includes -- an in particular config.php -- out of the web root. Does anyone have an experience with this?
a_o_c
Registered User
Posts: 26
Joined: Mon Feb 02, 2009 8:19 pm
Location: phpbb_
Contact:

Re: Move config.php out of Web Root

Post by a_o_c »

why? :?
User avatar
A_Jelly_Doughnut
Registered User
Posts: 1780
Joined: Wed Jun 04, 2003 4:23 pm

Re: Move config.php out of Web Root

Post by A_Jelly_Doughnut »

Moved from discussion to support.

Moving config.php is fairly easy. It is only included once -- in common.php -- so you can easily alter that one call.

Moving all the includes would be somewhat more tricky. You might be able to use the PHPBB_ROOT_PATH constant, but that would assume you moved all of the files included files, not just some of them.
A_Jelly_Doughnut
User avatar
Lumpy Burgertushie
Registered User
Posts: 1006
Joined: Tue Feb 28, 2006 5:26 pm

Re: Move config.php out of Web Root

Post by Lumpy Burgertushie »

I am with A_O_C, why?

maybe if you told you exactly what your goal is, we could help you achieve it.


robert
ToonArmy
Registered User
Posts: 335
Joined: Fri Mar 26, 2004 7:31 pm
Location: Bristol, UK
Contact:

Re: Move config.php out of Web Root

Post by ToonArmy »

If for some reason PHP stops your config.php will be served as plaintext. Usually I just modify the config.php in the web root to do:

Code: Select all

<?php
include '/etc/phpbb/site.example.com.php'; 
Chris SmithBlogXMOOhlohArea51WikiNo support via PM/IM
Image
FoolishNoob
Registered User
Posts: 15
Joined: Thu Feb 05, 2009 7:39 pm

Re: Move config.php out of Web Root

Post by FoolishNoob »

Anything you keep inside the web root (or document root) you would do well to consider public. Exposed source code in config.php exposes your database credentials... we can see here how that turns out.

Thanks for the quick replies.
User avatar
Lumpy Burgertushie
Registered User
Posts: 1006
Joined: Tue Feb 28, 2006 5:26 pm

Re: Move config.php out of Web Root

Post by Lumpy Burgertushie »

FoolishNoob wrote:Anything you keep inside the web root (or document root) you would do well to consider public. Exposed source code in config.php exposes your database credentials... we can see here how that turns out.

Thanks for the quick replies.
I figured that was why you asked.

Just fyi, the current situation with phpbb.com has nothing at all to do with this or for that matter, it has nothing at all to do with phpbb.

also, in all the time I have been here, I have yet to hear of anyone gaining access to a board via the config.php because it was in the public directory tree.

I won't argue that it is more secure outside the public area, but in reality, it is not an issue.

anyway, good luck,

robert
User avatar
ric323
Registered User
Posts: 102
Joined: Sat Sep 29, 2007 1:09 pm
Location: Melbourne, Australia

Re: Move config.php out of Web Root

Post by ric323 »

FoolishNoob wrote:...
Exposed source code in config.php exposes your database credentials... we can see here how that turns out.
As Lumpy already mentioned, that was NOT the case at phpbb.com. The attacker was able to insert his own php code, so it didn't matter where config.php was.
dowelld
Registered User
Posts: 11
Joined: Fri Feb 06, 2009 10:03 am

Re: Move config.php out of Web Root

Post by dowelld »

ToonArmy wrote:If for some reason PHP stops your config.php will be served as plaintext. Usually I just modify the config.php in the web root to do:

Code: Select all

<?php
include '/etc/phpbb/site.example.com.php'; 
Ummm no I think not.
<Files "config.php">
Order Allow,Deny
Deny from All
</Files>
That entry in .htaccess should stop it from being served at all.
oXo
Registered User
Posts: 66
Joined: Mon Feb 02, 2009 2:16 am

Re: Move config.php out of Web Root

Post by oXo »

dowelld wrote:
ToonArmy wrote:If for some reason PHP stops your config.php will be served as plaintext. Usually I just modify the config.php in the web root to do:

Code: Select all

<?php
include '/etc/phpbb/site.example.com.php'; 
Ummm no I think not.
<Files "config.php">
Order Allow,Deny
Deny from All
</Files>
That entry in .htaccess should stop it from being served at all.

That code is already already in .htaccess
Locked