PHPJunkyard support forum


https://developers.phpjunkyard.com/

Somewhat security risk

https://developers.phpjunkyard.com/viewtopic.php?t=5407

Page 1 of 1

Somewhat security risk

Posted: Wed Aug 05, 2015 9:42 pm
by Davefox
Well i was trying out your guestbookscript and it up and running on my website now. But i discovered something a sort of a securityrisk:

The file entries.txt is accessable by the client thus allowing to read protected messages as well as the banned ip list.

So i created the following htaccess file to solve this problem:

Code: Select all

#Sets the directory index to the main script so index.php is not needed
DirectoryIndex gbook.php

#Deny access to some files
<Files "banned_ip.txt">
     Order allow,deny
     Deny from all
</Files>
<Files "settings.php">
     Order allow,deny
     Deny from all
</Files>
<Files "entries.txt">
     Order allow,deny
     Deny from all
</Files>
Hope this helps for rolling out a update

Re: Somewhat security risk

Posted: Thu Aug 06, 2015 7:46 am
by Klemen
What you can also do is change the name of the entries.txt file to something "hard to guess":

d32fu8u34oiufogu093idusdf980digsdru3.txt

Then in settings.php change

Code: Select all

$settings['logfile']='entries.txt';
to

Code: Select all

$settings['logfile']='d32fu8u34oiufogu093idusdf980digsdru3.txt';
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited