1

Topic: config.php

Hi,

config.php must be on the root ?
I can't delete this file ?
Password, data base name etc are visible here, it's unbelievable !

Thanks,
Cyril

2

Re: config.php

In fact, my question is :
Is the security good for PunBB ?
It seems very low and nonexistent security. (config.php and install.php)
And if I remove this files, the forum not works.
I'm right ?

Re: config.php

Security is always an interesting question. The config.php file puzzles me too. Of course one has to be logged in to see it. Have you tried changing permissions? Mine are -rw-r--r-- Hopefully someone who knows will speak to this soon.

The install.php file is not needed. I just deleted mine.

4

Re: config.php

Thanks,

I try to download config.php from an external link and the file downloaded is 0 octet,
so the file seems protected, but it's little strange smile
Normally the config.php can be remove.

You are right install.php is not needed

Re: config.php

Cyril wrote:

In fact, my question is :
Is the security good for PunBB ?
It seems very low and nonexistent security. (config.php and install.php)
And if I remove this files, the forum not works.
I'm right ?

How can the placement of config.php in the forum root imply unsafety?

6

Re: config.php

Slavok wrote:
Cyril wrote:

In fact, my question is :
Is the security good for PunBB ?
It seems very low and nonexistent security. (config.php and install.php)
And if I remove this files, the forum not works.
I'm right ?

How can the placement of config.php in the forum root imply unsafety?

No, it's no the reason, but the file is not protected (no encrypt) : I think it's a bit low for a good protect

Re: config.php

Perhaps this topic will help you.

8

Re: config.php

Slavok wrote:

Perhaps this topic will help you.

Thank you very much, it helps me smile

Re: config.php

Thanks for the link Slavok.

I guess what other sites do would be an indication of how safe this configuration is, so I just looked at a current WordPress installation.  I can see that they do the same there. The database name and password etc are completely clear to anyone who has access to the file. One can only hope that the server limits access, and indeed that should be the case.