Every once in a while my host MySQL (i'm on shared hosting) gets attacked and my site gets the proverbial bright red cannot connect to database error page from MyBB. So.. where is that Error page stored so I can edit it with a URL for users to click for updates?
Also these error pages cause a security risk in that they show my site's MySQL host url right there on the MyBB error page.. this is not good! so it's really important to me that I discover where I may edit what is shown on these error pages.
The template for the error page is in line 502 of inc/class_error.php. You can add a link there
The SQL stuff is line 389 if you wish to edit how to errors actually appear too.
(2012-08-04, 01:34 AM)GunnerAIO Wrote: [ -> ]Also these error pages cause a security risk in that they show my site's MySQL host url right there on the MyBB error page.. this is not good! so it's really important to me that I discover where I may edit what is shown on these error pages.
It's not a security risk. Without the username and password it's useless information. Even sites such as Youtube chuck out the mysql host name when a MySQL error occurs.
(2012-08-06, 11:33 AM)Nathan Malcolm Wrote: [ -> ]It's not a security risk. Without the username and password it's useless information. Even sites such as Youtube chuck out the mysql host name when a MySQL error occurs.
If I know a users MySQL host, I can human engineer them and discover their login and password with some luck. That's why I want the host to be always hidden from end users at every circumstance. Call it extreme paranoia if you wish.
Edit:
I worded that funny.. what I mean is if I learn of the MySQL host OR host's account user name and I have reason, I can proceed with human engineering.. having a little bit of experience in that field.. I don't want it to happen to me other others that are good people.. so hence it's why I ask how to disable the link in error pages. I know the host.. so why should anyone else need to.. that's my reasoning.
(2012-08-11, 10:20 PM)GunnerAIO Wrote: [ -> ] (2012-08-06, 11:33 AM)Nathan Malcolm Wrote: [ -> ]It's not a security risk. Without the username and password it's useless information. Even sites such as Youtube chuck out the mysql host name when a MySQL error occurs.
If I know a users MySQL host, I can human engineer them and discover their login and password with some luck. That's why I want the host to be always hidden from end users at every circumstance. Call it extreme paranoia if you wish.
Edit:
I worded that funny.. what I mean is if I learn of the MySQL host OR host's account user name and I have reason, I can proceed with human engineering.. having a little bit of experience in that field.. I don't want it to happen to me other others that are good people.. so hence it's why I ask how to disable the link in error pages. I know the host.. so why should anyone else need to.. that's my reasoning.
It's more security through obscurity than anything. It doesn't really solve any potential issues (If someone wants to break in to your hosting account, there are much easier ways to discover potentially sensitive information than finding out the MySQL host name.)
If you insist on hiding the information from the public, simply switch it off.
ACP > Configuration > Server and Optimization Options > Error Type Medium > Hide Errors & Warnings
That way it would also hide PHP warnings which expose other 'sensitive' information.
For example, your forum is running on Linux and using PHP 5.2.17.
OMG Nathan, I love that post! didn't know that option was there... damn.. I'm slow... lol.
Edit:
does this hide error report from ALL users or just any user other than admins?
So you're worried that a potential hacker will engineer you into giving them your username and password? The solution to that seems obvious.