1 (edited by rgsuk 2006-09-10 20:09)

Topic: Security of SQL database username and password

I installed PunBB this week after my phpBB board was hacked. Also, like many people on here, I was fed up with fake registrations and with spammers being able to put a URL in their public profile before confirming their account. Something that was brought to the attention of the developers of phpBB ages ago but still hasn't been resolved.

I am really liking PunBB so far. Particulary the speed and small size. But one issue I do have is the security of the SQL database and password as this is stored in config.php in a public area.

Also I wonder why boards don't provide the option to just switch off showing the last registered user and members list? As that would solve the problem of 'rude' usernames.

Re: Security of SQL database username and password

config.php can't be viewed by anyone, as it's a PHP script. Unless they have FTP or any other sort of access of that kind to your files.

And for the last registered user and member list: just delete the file/comment out the code tongue

Re: Security of SQL database username and password

And all that info was stored in a config.php file for phpBB as well wink

4 (edited by rgsuk 2006-09-10 20:33)

Re: Security of SQL database username and password

You are absolutely right about phpBB :-) I just looked. I wondered because, in the past, I used a board that recommended that certain folders should be put 'above' the public html area on the server. However I think that was for perl.

Can someone tell me which bit to comment out and in which file? I used to do that with phpBB. I do think it would great to have this as a clickable option in admin because there are lots of people who are afraid to tweak the code and the edit is something extra to remember and do every time you upgrade the board.

Re: Security of SQL database username and password

The link to the user list can be found within the generate_navlinks() function in include/functions.php.

The last registered user code can be found within index.php.

EDIT: Forgot, you don't need to do every modification over when you upgrade your forum, simply use the hdiff linked to on the downloads page (if you don't know what that means, go to the downloads page and click the link to see it - it's pretty much self-explanatory).

Looking for a certain modification for your forum? Please take a look here before posting.

6

Re: Security of SQL database username and password

Thanks for that. I've tweaked the PHP as suggested. No more user list or last registered :-)

Re: Security of SQL database username and password

they do recomend putting the config.php file above a publicly visible folder and creating a link to that file where its needed.  since php is preprocessed when requested through the webserver, the file will be parsed regardless, and if they can list the contents of a file, they can get the contents of a linked file as well.

I run a nightly cron job that backs up the databse and compresses it and emails it to me.  thats a pretty fail proof solution for me since my site doesnt get any traffic big_smile

8

Re: Security of SQL database username and password

rgsuk wrote:

I do think it would great to have this as a clickable option in admin because there are lots of people who are afraid to tweak the code and the edit is something extra to remember and do every time you upgrade the board.

But there aren't lots of people who would need or want this particular item as an option.

9

Re: Security of SQL database username and password

MadHatter wrote:

I run a nightly cron job that backs up the databse and compresses it and emails it to me.  thats a pretty fail proof solution for me since my site doesnt get any traffic big_smile

Yeah, I do the same thing with this script: http://sourceforge.net/projects/automysqlbackup/

I don't have them emailed to me but I sync up with my web space in the morning.

10 (edited by rgsuk 2006-09-11 05:02)

Re: Security of SQL database username and password

Paul wrote:

But there aren't lots of people who would need or want this particular item as an option.

If there is the need for a facility to ban certain usernames and words then I don't see why the option to turn off the user list and last registered person isn't a desirable feature. As both of these things potentially bring offensive usernames (that haven't been confirmed by email) to the front page or a click away from it on the user list. Instead of trying to guess and ban all possible words it would be easier just to turn off these features in options. That way no one sees all the fake accounts that haven't been confirmed.

I have just abandoned phpBB because it has a similar but much worse problem: people can put a URL in their profile before they have confirmed their account. Which is just a golden opportunity for spammers and malicious people.

Re: Security of SQL database username and password

If there is the need for a facility to ban certain usernames and words then I don't see why the option to turn off the user list and last registered person isn't a desirable feature

Because banning isn't only about hiding bad names tongue

Anyways, in 1.3 I believe you will be able to restrict who can view the userlist via group permissions.

12

Re: Security of SQL database username and password

I just don't get it: is there a way (risk of) to view config.php (with database login and pass) for a forum visitor/hacker without ftp accsess ?

Yes or No ?

13 (edited by rgsuk 2006-09-11 23:23)

Re: Security of SQL database username and password

I am concerned because some hosts make you use your main hosting username and password for the sql databases. It may be that there is little chance of anyone getting a look at the config.php. I don't know much about this. Feels uncomfortable to store this info as text in a public area though...

Re: Security of SQL database username and password

Enemy wrote:

I just don't get it: is there a way (risk of) to view config.php (with database login and pass) for a forum visitor/hacker without ftp accsess ?

Yes or No ?

No, there is no risk unless the "hacker" has an account on the same server as you

rgsuk wrote:

I am concerned because some hosts make you use your main hosting username and password for the sql databases. It may be that there is little chance of anyone getting a look at the config.php. I don't know much about this. Feels uncomfortable to store this info as text in a public area though...

Then move it outside of the public directory and edit common.php to reflect the change. Or change the filename and edit common.php to reflect the change. Or both! tongue
There's no way to "encrypt" the data in config.php so that only MySQL can read it. But, since it's PHP, it can't be read directly through going to the URL for it. PunBB has config.php where it is because some hosts don't have any space that is "hidden." If your host does allow the extra space, take advantage of it wink