What files get changed when in admin.php?

Posted: Wed Aug 23, 2006 9:29 pm

Quote:

I mean, the instructions said to change the location of the real config and then put another config in it's place pointing to where it actually is.

Where does the Raven-supplied HowToInstall manual tell you to move your config.php file? We do not believe that to be much of a help. If someone can get into your site that far to view that script, they can probably do far more damage than hiding your config.php script will do. Just leave it in the root.

Yes, do not upgrade as yet your BBtoNuke (phpBB) as yet, as there are still concerns lurking out there that it has issues (until someone tells me otherwise). However, you will want to upgrade NukeSentinel to at least 2.4.2 pl9 or better and do this to protect your forum admins:
[ Only registered users can see links on this board! Get registered or login! ]

Involved Joined: Apr 05, 2006 Posts: 263

robots txt

like i have here add any folder you want to stop showing up

User-agent: *
Disallow: /abuse/
Disallow: /admin/
Disallow: /blocks/
Disallow: /cgi-bin/
Disallow: /db/
Disallow: /images/
Disallow: /includes/
Disallow: /language/
Disallow: /modules/
Disallow: /themes/
Disallow: /admin.php
Disallow: /config.php
Disallow: /downloads/

or use your .htaccess I`m sure someone with more idea how that works will let you / me know Wink

Posted: Thu Aug 24, 2006 2:12 pm

Are you sure you didnt read something about changing the location of the admin.php file and not the config.php file?
Any way, leave everything where it is, thats where mine are and I have not been hacked yet after all these years Wink

Ignore the forum update for now, there is nothing in it that is critical.
Enjoy using your site for a while Smile

Posted: Fri Aug 25, 2006 6:29 am

bugsTHoR, that only affects search engines and only those which "behave". You can use .htaccess, but in reality, what that protects is access from the web, such as from the browser, and NOT from a direct read. Even if you accessed your config.php script from your browser, it wouldn't show you anything, so using .htaccess is a moot point here.

Posted: Sat Aug 26, 2006 12:25 am

Sorry M, looks like I took so long to post you both posted before I hit send.

Posted: Sat Aug 26, 2006 6:54 am

If its ok that I jump in here;
Alot of problems have arrisen on my test site for phpbb 2.0.21

I wouldnt sudjest it.

As for your dummy config.php

The contents should be:

<?php
if (stristr($_SERVER['SCRIPT_NAME'], "config.php")) {
Header("Location: index.php");
die();}
include("mysite/config.php");
?>

You will need to make a folder called mysite but you can edit that to whatever folder name you would like.
Also, leave the if statement, that will stop them from accessing the file directly, only the browser not any script.

Posted: Sat Aug 26, 2006 6:59 am

darklord, this is an innovative approach. Can't see why it would not work. However, I could suggest actually placing the config.php file outside the web root -- i.e., "up" a level rather than "down". This way, there is no way a web client can access it directly... ever.

Posted: Sat Aug 26, 2006 7:08 am

true but this approach is not my own, this is a script from secure admin a while back. And used on my site personally. To make that happen a simple code change would do it:

If your site is at root level:
<?php
if (stristr($_SERVER['SCRIPT_NAME'], "config.php")) {
Header("Location: index.php");
die();}
include("../config.php");
?>

If your site is below root level:

<?php
if (stristr($_SERVER['SCRIPT_NAME'], "config.php")) {
Header("Location: index.php");
die();}
include("../../config.php");
?>

Posted: Mon Aug 28, 2006 11:14 am

Note that this may stop the forums admin panel from working. You will need code to address the relative paths - or quicker use the full path