PDA

View Full Version : security


rom
02-24-2004, 10:02 AM
I wanted to confirm that I have set-up security correctly on my site. My server runs Apache on Linux, not safe-mode enabled.

1. I have used htaccess on the admin directory for PhpDig and on the PhpMyAdmin directory, but isn't it possible for an unauthorized user to get access to the user name and password in the connect.php and config.php files in the includes directory? I have set the Chmod on the includes directory to 755.

2. Also, the documentation for PhpDig says that: "Password protected sites can be indexed giving to the robot a username and valid password.
Be Careful ! This feature could permit to an unauthorized user reading protected informations. We recommend to create a specific instance of PhpDig, protected by the same credentials as the restricted site. You have to create a special account for the robot too." Does this mean that someone can obtain the user name and password for my PhpMyAdmin directory?

Thanks very much.
:confused:

Charter
02-28-2004, 04:21 PM
Hi. Let's assume that the server is secure and no files on your account have vulnerabilities. With these assumptions, there could be a remote possibility that a user on a shared account could access another account on the same machine, but this would depend on setup. The 777 permission of the includes directory is for using install.php, but once done, the directory can be 755 permission and install.php can be removed. The documentation refers to if you should happen to crawl a link like http://username:password@www.domain.com which would pass the userame and password in plain text.