Invision Community 4: SEO, prepare for v5 and dormant account notifications By Matt November 11, 2024
Cool Surfer Posted October 16, 2008 Posted October 16, 2008 Dont know if I posted this earlier. When a server apache doesnt reboot properly, then you can download .php files, eg if you type forums.invisionpower.com/index.php the file index.php can be downloaded. likewise config.php can be downloaded. So if config.php file is not fetched directly in other php files, but instead lets say index.php says <? include 'config.php'; ?> but instead if it says <? include 'config-fake.php'; ?> and config-fake.php says <? include 'config.php'; ?> and the true config.php be decided by the forum admin, where to hide the file/rename it , or whatever...
Brandon D Posted October 16, 2008 Posted October 16, 2008 Then they'd just download index.php, find the true location and name of the config file and download that. Best way to protect it is to store it in a directory that isn't web accessible.
bfarber Posted October 16, 2008 Posted October 16, 2008 Or configure Apache not to do what you are describing. I haven't seen an apache server do that in probably 3 years...I think that was more an Apache bug than anything. Only option would be to move the file outside of the web directory (or maybe with an .htaccess as described, but you're relying on Apache at that point, which we've already established isn't working properly in this scenario). If you are going to bother doing that, just update the include path in index.php directly.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.