Somewhat security risk

Everything related to GBook PHP guestbook
Post Reply
Davefox
Posts: 1
Joined: Wed Aug 05, 2015 9:37 pm

Somewhat security risk

Post by Davefox »

Well i was trying out your guestbookscript and it up and running on my website now. But i discovered something a sort of a securityrisk:

The file entries.txt is accessable by the client thus allowing to read protected messages as well as the banned ip list.

So i created the following htaccess file to solve this problem:

Code: Select all

#Sets the directory index to the main script so index.php is not needed
DirectoryIndex gbook.php

#Deny access to some files
<Files "banned_ip.txt">
     Order allow,deny
     Deny from all
</Files>
<Files "settings.php">
     Order allow,deny
     Deny from all
</Files>
<Files "entries.txt">
     Order allow,deny
     Deny from all
</Files>
Hope this helps for rolling out a update
Top
Klemen
Site Admin
Posts: 10114
Joined: Fri Feb 11, 2005 4:04 pm

Re: Somewhat security risk

Post by Klemen »

What you can also do is change the name of the entries.txt file to something "hard to guess":

d32fu8u34oiufogu093idusdf980digsdru3.txt

Then in settings.php change

Code: Select all

$settings['logfile']='entries.txt';
to

Code: Select all

$settings['logfile']='d32fu8u34oiufogu093idusdf980digsdru3.txt';
Klemen, creator of HESK and PHPJunkyardWas this helpful? You can buy me a drink here Image

Image You should follow me on Twitter here

Help desk software | Cloud help desk | Guestbook | Link manager | Click counter | more PHP Scripts ...

Also browse for php hosting companies, read php books, find php resources and use webmaster tools
Top
Post Reply

Return to “GBook - guestbook add-ons”