Page 1 of 1
Encode hesk_settings.inc.php
Posted: Fri May 18, 2012 2:45 pm
by JFMichaud
Hi is it a good idea to "encode" the portion in hesk_settings.inc.php that reffers to the database settings?
/* --> Database settings*/
$hesk_settings['db_host']='localhost';
$hesk_settings['db_name']='blabla';
$hesk_settings['db_user']='blabla';
$hesk_settings['db_pass']='blabla';
$hesk_settings['db_pfix']='hesk_';
eval(gzinflate(str_rot13(base64_decode(.....))));
Possible? Useless? Priceless?
Re: Encode hesk_settings.inc.php
Posted: Fri May 18, 2012 5:27 pm
by Klemen
This would add absolutely nothing to security if that's what you are after.
What you can do to really increase security is:
- htaccess protect "admin" folder
- use a dedicated database and database user for Hesk (don't use a database/user that the rest of your site uses)
- chmod settings file to 644 and only change to 666 when you need to modify any settings
- make sure you keep Hesk up to date with versions and patches. The best way to check that is with the "Check for updates" link in your HESK admin panel under "Settings"
- make sure your server is secure, with up to date software
Re: Encode hesk_settings.inc.php
Posted: Wed Dec 11, 2013 6:09 am
by MOB
Sorry for resurrecting an old thread, but it relates to my question.
I don't have a problem that
hesk_settings.inc.php has the login for the MySQl database, since it's also a common process for
phpbb based forums under the
config.php file.
But what now concerns me is the password we provide in the email portion of Hesk Desk (see below).
Code: Select all
// ==> EMAIL
// --> Email sending
$hesk_settings['smtp']=0;
$hesk_settings['smtp_host_name']='localhost';
$hesk_settings['smtp_host_port']=25;
$hesk_settings['smtp_timeout']=20;
$hesk_settings['smtp_ssl']=0;
$hesk_settings['smtp_tls']=0;
$hesk_settings['smtp_user']='';
$hesk_settings['smtp_password']='';
// --> POP3 Fetching
$hesk_settings['pop3']=0;
$hesk_settings['pop3_host_name']='mail.domain.com';
$hesk_settings['pop3_host_port']=110;
$hesk_settings['pop3_tls']=0;
$hesk_settings['pop3_keep']=0;
$hesk_settings['pop3_user']='';
$hesk_settings['pop3_password']='';
Shouldn't this information be best to keep on the database and not this file? This way if our site gets scraped, that file doesn't find itself with hackers?
Re: Encode hesk_settings.inc.php
Posted: Wed Dec 11, 2013 7:13 pm
by Klemen
Well if an attacker can access the source of your files he should have no problems connecting to the database as well
The good news is I do plan to move most settings into the DB. Email account data will definitely go into the database as I will be adding support for several email accounts in the future.
Re: Encode hesk_settings.inc.php
Posted: Fri Dec 13, 2013 5:57 am
by MOB
I was wondering if it would be safe to htaccess protect the following?
.htaccess - place on the root of hesk desk
Code: Select all
<Files "hesk_settings.inc.php">
Order Allow,Deny
Deny from All
</Files>
<Files "inc/common.inc.php">
Order Allow,Deny
Deny from All
</Files>
And to also place a
.htaccess with the following in the attachments directory?
Code: Select all
<Files *>
Order Allow,Deny
Deny from All
</Files>
Also, I notice your phpbb3 forum the active topics isn't working--I get a blank page. I was wondering if you need to run a fix to make that setting work? I had to it on mine when I upgraded from phpBB2 on my sites. Here is the solution:
https://www.phpbb.com/community/viewtop ... &t=1902325
Re: Encode hesk_settings.inc.php
Posted: Fri Dec 13, 2013 2:53 pm
by Klemen
Sure, protecting it with htaccess should indeed work.
Thanks for the heads up about active topics, has been fixed!