Guest Cool Surfer
October 16, 2008 in Feedback
Dont know if I posted this earlier.
When a server apache doesnt reboot properly, then you can download .php files,
eg if you type forums.invisionpower.com/index.php the file index.php can be downloaded.
likewise config.php can be downloaded.
So if config.php file is not fetched directly in other php files, but instead lets say
but instead if it says
and config-fake.php says
and the true config.php be decided by the forum admin, where to hide the file/rename it , or whatever...
Then they'd just download index.php, find the true location and name of the config file and download that.
Best way to protect it is to store it in a directory that isn't web accessible.
Or configure Apache not to do what you are describing. I haven't seen an apache server do that in probably 3 years...I think that was more an Apache bug than anything.
Only option would be to move the file outside of the web directory (or maybe with an .htaccess as described, but you're relying on Apache at that point, which we've already established isn't working properly in this scenario). If you are going to bother doing that, just update the include path in index.php directly.
This topic is now archived and is closed to further replies.
Started 5 hours ago
Started 1 hour ago
Started May 31