Encode hesk_settings.inc.php

[JFMichaud]

Hi is it a good idea to "encode" the portion in hesk_settings.inc.php that reffers to the database settings?

/* --> Database settings*/
$hesk_settings['db_host']='localhost';
$hesk_settings['db_name']='blabla';
$hesk_settings['db_user']='blabla';
$hesk_settings['db_pass']='blabla';
$hesk_settings['db_pfix']='hesk_';


eval(gzinflate(str_rot13(base64_decode(.....))));

Possible? Useless? Priceless?

[Klemen]

This would add absolutely nothing to security if that's what you are after.

What you can do to really increase security is:
- htaccess protect "admin" folder
- use a dedicated database and database user for Hesk (don't use a database/user that the rest of your site uses)
- chmod settings file to 644 and only change to 666 when you need to modify any settings
- make sure you keep Hesk up to date with versions and patches. The best way to check that is with the "Check for updates" link in your HESK admin panel under "Settings"
- make sure your server is secure, with up to date software

[MOB]

Sorry for resurrecting an old thread, but it relates to my question.

I don't have a problem that hesk_settings.inc.php has the login for the MySQl database, since it's also a common process for phpbb based forums under the config.php file.

But what now concerns me is the password we provide in the email portion of Hesk Desk (see below).

Code: Select all

// ==> EMAIL

// --> Email sending
$hesk_settings['smtp']=0;
$hesk_settings['smtp_host_name']='localhost';
$hesk_settings['smtp_host_port']=25;
$hesk_settings['smtp_timeout']=20;
$hesk_settings['smtp_ssl']=0;
$hesk_settings['smtp_tls']=0;
$hesk_settings['smtp_user']='';
$hesk_settings['smtp_password']='';

// --> POP3 Fetching
$hesk_settings['pop3']=0;
$hesk_settings['pop3_host_name']='mail.domain.com';
$hesk_settings['pop3_host_port']=110;
$hesk_settings['pop3_tls']=0;
$hesk_settings['pop3_keep']=0;
$hesk_settings['pop3_user']='';
$hesk_settings['pop3_password']='';

Shouldn't this information be best to keep on the database and not this file? This way if our site gets scraped, that file doesn't find itself with hackers?

[Klemen]

Well if an attacker can access the source of your files he should have no problems connecting to the database as well

The good news is I do plan to move most settings into the DB. Email account data will definitely go into the database as I will be adding support for several email accounts in the future.

[MOB]

I was wondering if it would be safe to htaccess protect the following?

.htaccess - place on the root of hesk desk

Code: Select all

<Files "hesk_settings.inc.php">
Order Allow,Deny
Deny from All
</Files>

<Files "inc/common.inc.php">
Order Allow,Deny
Deny from All
</Files>

And to also place a .htaccess with the following in the attachments directory?

Code: Select all

<Files *>
	Order Allow,Deny
	Deny from All
</Files>

Also, I notice your phpbb3 forum the active topics isn't working--I get a blank page. I was wondering if you need to run a fix to make that setting work? I had to it on mine when I upgraded from phpBB2 on my sites. Here is the solution: https://www.phpbb.com/community/viewtop ... &t=1902325

[Klemen]

Sure, protecting it with htaccess should indeed work.

Thanks for the heads up about active topics, has been fixed!