Announcement

Collapse
No announcement yet.

Security RISK/WARNING for you folks with shared providers..

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #31
    It is probably just the settings on the mac client. Sounds like you are on a windows server ??,

    anyway, it is fine that you can see their directories, as long as you can't see inside the directories... if you can, you are open to the same problem...

    Eric C
    -

    Comment


    • #32
      Nope, I'm on Linux, I wouldn't touch a NT webserver for 1000 bux I'n not a mac person either so I don't know what settings would affect it. I was just amazed that I could see all that info alone. If I'd been able to go into the directories and read I would have left my host by now
      JTMON

      Comment


      • #33
        don't feel too secure....

        it is still possible that someone could write a php script that could access your config.php file, and write it to a file they could read, or just display it on the screen for them. the script would have to be on the same server, or same NIS.


        maybe I should shut up, I hope hackers don't read this

        Eric C
        -

        Comment


        • #34
          Having only just relocated to VO, I am not at all thrilled at the prospect of having to find another host.... especially when both the vB developers and a number of highly-respected users on this support forum actively recommend them. Thus, I think I am going to give them the benefit of the doubt for now, and hope that both VO and Jelsoft will resolve the matter between them.

          That said, I have cut'n'pasted Tom's post and forwarded it to them to see if they have anything more to say against using the chown method. I can't for the life of me understand why it would be so much hassle for them to at least do this on my account. Or am I/we missing their point about suexec? Any vB developers in the house care to comment?

          Comment


          • #35
            Originally posted by svoec
            don't feel too secure....

            it is still possible that someone could write a php script that could access your config.php file, and write it to a file they could read, or just display it on the screen for them. the script would have to be on the same server, or same NIS.


            maybe I should shut up, I hope hackers don't read this

            Eric C
            That's been said many many time in this thread, no new news there.

            tjk

            Comment


            • #36
              Hi all,

              This thread makes me shudder!

              I did the "locate config.php" thingy, through my telnet connection, and I got a loooooong list of path names. I am in trouble here, right?

              I am truly a newbie. Can anyone possibly translate all the advice given here, into easy-to-understand steps? Sort of like a "security checklist"? With techie terminology explained, please?

              Thank you very much in advance.

              mishkan

              Comment


              • #37
                Originally posted by svoec
                don't feel too secure....

                it is still possible that someone could write a php script that could access your config.php file, and write it to a file they could read, or just display it on the screen for them. the script would have to be on the same server, or same NIS.


                maybe I should shut up, I hope hackers don't read this

                Eric C
                Wouldn't having PHP in SAFE MODE fix this?

                Comment


                • #38
                  Yes it should do, as would using open_basedir restrictions. Of course it doesn't solve the problem if other scripting like perl etc. in not being run SuExec.
                  Karl Austin
                  UK Web Hosting and Servers :: KDA Web Services Ltd.
                  Specialists in Custom Solutions

                  Comment


                  • #39
                    Re: Not the best..

                    Originally posted by tomk
                    This is a huge problem, and has been for a long time. I'd be embarassed if I were the author of such programs that didn't use a bit better method to at least encrypt the password stored in the txt file.
                    What exactly do you suggest we do? We can't use the Zend Encoder, because the majority of hosts are not running the Zend Optimizer (which is the minimum required to decode an Zend Encoder-encoded file). Encryption of just the password is out of the question, because it would have to be a reversible encryption (since it has to be fed to MySQL at some point and MySQL doesn't use encrypted passwords) which would kind of kill the point of using it.

                    There is not much that can be done in general regarding this - and there is nothing that can be done by us.

                    Comment


                    • #40
                      Also regarding the people suggesting that VO & Jelsoft should get together and resolve this: Even if that were to happen (which I doubt it will), that still leaves every other host on earth. It won't help anything except the people on VO.

                      Comment


                      • #41
                        Originally posted by mishkan
                        I am truly a newbie. Can anyone possibly translate all the advice given here, into easy-to-understand steps? Sort of like a "security checklist"? With techie terminology explained, please?
                        tubedogg and vBulletin Team, do you think this could be done? For you to create a list like this? I'm sure it would be highly appreciated by all vBulletin administrators... especially by us newbies.

                        mishkan

                        Comment


                        • #42
                          Originally posted by mishkan

                          tubedogg and vBulletin Team, do you think this could be done? For you to create a list like this? I'm sure it would be highly appreciated by all vBulletin administrators... especially by us newbies.

                          mishkan
                          Yeah that would be nice, My brain is smoking after reading through all of that.

                          Comment


                          • #43
                            here was my thought
                            Have the install script ask the installer to choose the name for the config file, and store that inside the actual code somewhere ??

                            At least this way, it makes it harder for hackers to be able to do a locate on the file name

                            Is that doable ?
                            -

                            Comment


                            • #44
                              Unfortunately it would be still be easy to find the password if it was just written to a random file, although I do have some ideas on making it harder for the password to be found.
                              Karl Austin
                              UK Web Hosting and Servers :: KDA Web Services Ltd.
                              Specialists in Custom Solutions

                              Comment


                              • #45
                                I will be using Ventures Online. Is there something I need to inform my host about?

                                I will be on a shared server to start and this thread makes me very nervous.

                                Thanks!

                                Comment

                                widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                                Working...
                                X