ATutor

Learning Management Tools


  1. Home



Pages:1 2 3 4 5 6 7 8 9 10 11 12 13 14 15


configincphp SECURITY



  • 2006-10-01 17:03:29

    configincphp SECURITY

    Hi, I have just installed ATutor and find it fab...

    However, I have a problem that is going to make me uninstall in a few hours if I can't get a resolution to this problem. I have searched the documentation and forum and have not found an answer as yet.

    in include/config.inc.php all my database username, and password etc details are held. If I go to my web browser and type in www.pathtoAtutor/includes/config.inc.php and then view source I can read the entire file. Hence anyone can hack my entire site.

    If I chmod so cannot read file then cannot access Atutor at all?

    Is there something I am doing wrong???

    Should I move the file elsewhere?

    Please help, if no answer will have to uninstall and find something more secure.

    kind regards
    Karen :(


    If you are asking for help, provide lots of detail so problems can be reproduced.

    Things to describe:
    operating system - of my server? (unix i think) or my computer? (windows xp pro)
    version of ATutor - 1.5.3.2
    versions of php -
    version of mysq l -
    webserver & version -
    copies of error messages -
    changes to default settings -
    web browser being used -
    and anything else relevant -


  • 2006-10-01 17:37:49

    Re: config.inc.php SECURITY???

    I tried to duplicate your problem on our servers. We are running several installations of Atutor. On all the installations we tested we were unable to view the source as described in your post.

    Since we control our own servers we have our systems configured not to display source without a web page present. This is normally done by setting permissions on the file or directory.

    Our config.inc.php file is set with a permissions level of 666, which give read/write access but not execute permissions.

    Our directory - include - is set at a permissions level of 755 which is - "world read" - "owner write" - "world execute"

    All files are "chown"'d - "server owner" by our ftp login and not owned by the web server ie .. "www" or "nobody"

    I hope you understand what I mean. In other words the web server owner - usually "www" or "nobody" should not be the username that owns the files or directories

    All file ownership should be owned by the actual FTP or Cpanel login name.

    Only files created by students or ones generated during the actual use of ATutor should have an ownership by the webserver.

    You might need to talk with your hosting company regarding the issue and how overall server permissins are set if your are not in control of how your user area permissions and ownership levels.

    I hope this helps


  • 2006-10-01 18:44:26

    Re: config.inc.php SECURITY???

    Thanks,

    I am not sure what is going on....

    thanks for the info :-)

    the rest of the site i am working on that is using php is working fine and a view of the page source of these other files shows nothing,

    I will look into why it is doing it on this atutor install

    cheers
    karen


  • 2006-10-02 08:34:53

    Re: config.inc.php SECURITY???

    This is usually the result of the Web server being misconfigured. Be sure it is setup to execute php, rather than read it.

    I'll guess you are using Apache. in apache's httpd.conf file, the following should be set.

    [php]

    AddType application/x-httpd-php .php .phtml

    [/php]

    [reply][b]In reply to:[/b]
    in include/config.inc.php all my database username, and password etc details are held. If I go to my web browser and type in www.pathtoAtutor/includes/config.inc.php and then view source I can read t...
    [op]forums/view.php?fid=7;pid=8915;page=1#8915[/op][/reply]