next »

[dink]

Not sure if this is the right section for this, but I'm pretty sure it will be moved if there is a better place.   

Wandering around in server logs yesterday when I saw an entry that chilled my shit. 
Somebody called for my config.inc file and it returned a code 200.  That means some joker has my information, right?

Now, config.inc is used on this site to access the database (mysql) for this site.  It happens that the config data is used by two more sites that use the same db. 

So, three websites that use this db to produce dynamic pages have been (potentially) compromised.

I'll have to go in and change the password for this db, then make a new config file, then change all of the pages on the three sites that use this.....yadda yadda.....

Getting bored just typing this stuff.  Imagine your pain reading it.

So how do I protect myself from a similar problem in the future?  My first thought was to name the config something like endlessJunk.php  or shitless.js.  Not sure if that will provide the protection I need.

What do you suggest?

[perkiset]

There are several ideas, but an immediate one would be to trap it in Apache... if anyone ever calls for config anything rewrite the URL to a Fuck You page. EG:

RewriteEngine on
RewriteCond  %{REQUEST_URI}   config
RewriteRule   ^(.*)$   http://http://goatse.ca/   [L]

IMPORTANT NOTE - I MEAN REALLY IMPORTANT - that URL is a JOKE and is NSFW

there's other ways in apache's .htaccess with the Directory directives, but I am not as familiar with that. Also, you could simply include config.inc from another directory that is readable by the PHP interpreter, but not in a place where it can be accessed by the outside world. A simple example:

<?php
$includeDir = '/www/privateDirUnavailableToApache';
require_once("$includeDir/config.inc");

Now, even though the PHP file can see it, it cannot be called - assuming that the DocumentRoot for <this website> is something like /www/mySites/thisSite

Good luck - that's a DRAG! My personal thing is to mod_rewrite EVERY request into a php handler - for example, main.php - and everything else becomes a GET parameter that I either understand how to handle ot treat as a hack attempt.

/p

[dink]

Good luck - that's a DRAG!

Thanks for that.  You've spun my gears on the solution.