I'm a noob at MyBB, so I hope this isn't too obvious. I have read a bunch of posts on adding extra security but there is one thing I haven't seen. The fact that the MySQL database admin name and password is under the web document tree doesn't seem like a good idea.
If somehow the web server returned the "config.php" doc instead of processing the doc, it would reveal your database password.
So, wouldn't it be better to have "config.php" include a file from some place outside the web document tree? That way, if the server is not processing PHP correctly, the user would only see a reference to the file containing the password and not the password itself.
The other thing I was unsure of was upgrades to MyBB. When I update to a new release of MyBB, will "config.php" get overwritten? Is there some better mechanism for including passwords outside the document tree?
Thanks for the advice.
It is the common way storing the config in such a directory. Unless there is something wrong with your Webserver/PHP configuration this is no problem. But you can add a .htaccess in your "inc" to disable access for additional security.
(2011-04-12, 04:10 AM)jbruce Wrote: [ -> ]When I update to a new release of MyBB, will "config.php" get overwritten?
Normally it is not touched but sometimes it is modified to add additional option.
(2011-04-12, 04:10 AM)jbruce Wrote: [ -> ]...
If somehow the web server returned the "config.php" doc instead of processing the doc...
PHP doesn't work that way, the webserver will never "return the 'config.php' instead of processing..."
A poorly set-up shared hosting (for example) would be much more dangerous, but in that case the fault is not with MyBB. Like StefanT said, this is the standard way for most php scripts.
I recognize that PHP doesn't work that way, but web servers do. It is possible that a misconfiguration of the web server could return the document. It just seems to me that having passwords in the document tree is a bad idea.
Stefan, are you saying that the standard way IS to keep passwords in the document tree (that is, keep the password in the inc/config.php file)?
I guess you are also saying that by including a .htaccess file in the folder, Apache won't simply return the document just because PHP is misconfigured. It would probably take a severely misconfigured Apache to ignore the .htaccess file and return the "config.php" file. I think that is what you are saying and that makes sense.
Thanks for the advice.
That would involve some
active misconfigurating (by you) to make apache do that. And once you know how you might achieve that you also know why you shouldn't try it.
(2011-04-12, 05:53 AM)jbruce Wrote: [ -> ]I guess you are also saying that by including a .htaccess file in the folder, Apache won't simply return the document just because PHP is misconfigured. It would probably take a severely misconfigured Apache to ignore the .htaccess file and return the "config.php" file.
You assume two totally different parts of the configuration are wrong at the same time? I think this is nearly impossible... Is there any way to disable .htaccess file recognition completely? You can disable options but this would produce Internal Server Errors and you still won't get the content of the file.
You can move the file elsewhere if you want (e.g. create a config.php that loads the data from outside the web tree). It can't be done in general because many hostings do not actually offer any storage folders outside the html directory. Same thing should probably be done for the admin/backup folder then, if you're worried about people downloading your database backups directly.
Pretty much all web software works like this (phpBB, SMF, WordPress, standard software millions of people have installed), because as mentioned above, many hosts won't support it being anywhere else. It'll never be overwritten in an upgrade as no files package we provide contains a config.php file.