Move config.php out of Web Root
Forum rules
Temporary forum to obtain support while phpBB.com is offline.
Please use the support forum on phpBB.com
Temporary forum to obtain support while phpBB.com is offline.
Please use the support forum on phpBB.com
-
- Registered User
- Posts: 15
- Joined: Thu Feb 05, 2009 7:39 pm
Move config.php out of Web Root
I would like to move as many includes -- an in particular config.php -- out of the web root. Does anyone have an experience with this?
- A_Jelly_Doughnut
- Registered User
- Posts: 1780
- Joined: Wed Jun 04, 2003 4:23 pm
Re: Move config.php out of Web Root
Moved from discussion to support.
Moving config.php is fairly easy. It is only included once -- in common.php -- so you can easily alter that one call.
Moving all the includes would be somewhat more tricky. You might be able to use the PHPBB_ROOT_PATH constant, but that would assume you moved all of the files included files, not just some of them.
Moving config.php is fairly easy. It is only included once -- in common.php -- so you can easily alter that one call.
Moving all the includes would be somewhat more tricky. You might be able to use the PHPBB_ROOT_PATH constant, but that would assume you moved all of the files included files, not just some of them.
A_Jelly_Doughnut
- Lumpy Burgertushie
- Registered User
- Posts: 1006
- Joined: Tue Feb 28, 2006 5:26 pm
Re: Move config.php out of Web Root
I am with A_O_C, why?
maybe if you told you exactly what your goal is, we could help you achieve it.
robert
maybe if you told you exactly what your goal is, we could help you achieve it.
robert
Re: Move config.php out of Web Root
If for some reason PHP stops your config.php will be served as plaintext. Usually I just modify the config.php in the web root to do:
Code: Select all
<?php
include '/etc/phpbb/site.example.com.php';
-
- Registered User
- Posts: 15
- Joined: Thu Feb 05, 2009 7:39 pm
Re: Move config.php out of Web Root
Anything you keep inside the web root (or document root) you would do well to consider public. Exposed source code in config.php exposes your database credentials... we can see here how that turns out.
Thanks for the quick replies.
Thanks for the quick replies.
- Lumpy Burgertushie
- Registered User
- Posts: 1006
- Joined: Tue Feb 28, 2006 5:26 pm
Re: Move config.php out of Web Root
I figured that was why you asked.FoolishNoob wrote:Anything you keep inside the web root (or document root) you would do well to consider public. Exposed source code in config.php exposes your database credentials... we can see here how that turns out.
Thanks for the quick replies.
Just fyi, the current situation with phpbb.com has nothing at all to do with this or for that matter, it has nothing at all to do with phpbb.
also, in all the time I have been here, I have yet to hear of anyone gaining access to a board via the config.php because it was in the public directory tree.
I won't argue that it is more secure outside the public area, but in reality, it is not an issue.
anyway, good luck,
robert
Re: Move config.php out of Web Root
As Lumpy already mentioned, that was NOT the case at phpbb.com. The attacker was able to insert his own php code, so it didn't matter where config.php was.FoolishNoob wrote:...
Exposed source code in config.php exposes your database credentials... we can see here how that turns out.
Re: Move config.php out of Web Root
Ummm no I think not.ToonArmy wrote:If for some reason PHP stops your config.php will be served as plaintext. Usually I just modify the config.php in the web root to do:Code: Select all
<?php include '/etc/phpbb/site.example.com.php';
That entry in .htaccess should stop it from being served at all.<Files "config.php">
Order Allow,Deny
Deny from All
</Files>
Re: Move config.php out of Web Root
dowelld wrote:Ummm no I think not.ToonArmy wrote:If for some reason PHP stops your config.php will be served as plaintext. Usually I just modify the config.php in the web root to do:Code: Select all
<?php include '/etc/phpbb/site.example.com.php';
That entry in .htaccess should stop it from being served at all.<Files "config.php">
Order Allow,Deny
Deny from All
</Files>
That code is already already in .htaccess