The Joomla! Forum ™





Post new topic Reply to topic  [ 1 post ] 
Author Message
PostPosted: Wed Dec 13, 2006 10:23 pm 
User avatar
Joomla! Guru
Joomla! Guru

Joined: Tue Jun 06, 2006 7:41 am
Posts: 828
Location: California, Germany, Norway
Overview

This great tip comes from a post by friesengeist.

One challenge in Joomla! is ensuring that certain PHP files in public_html containing executable code or confidential data are protected from direct Internet access.

There are various ways to protect such files, but most are not optimal. Many users and developer groups, such as Gallery2 and Apache.org strongly recommend against keeping vulnerable files and confidential data inside public_html. The following method seems to be the simplest and most elegant way to protect read-only files that for whatever reason must be stored in public_html. In this example, we protect configuration.php, perhaps the most confidential file of any Joomla! site.

Directions

1. Move configuration.php to a safe directory outside of public_html and rename it whatever you want. We use the name joomla.conf in this example.

2. Create a new configuration.php file containing only the following code:
Code:
<?php
 require( dirname( __FILE__ ) . '/../joomla.conf' );
 ?>


Do not include blank lines above the php start tag "". Such blank lines will trigger the infamous "headers already sent" error. e.g.:

Code:
Warning: Cannot modify header information - headers already sent by (output started at /home/xxxxx/public_html/configuration.php:2) in /home/xxxxx/public_html/index.php on line 250



3. Make sure this new configuration.php is not writable at all, so that it can not be overridden by com_config.

4. If you need to change configuration settings, do it manually in the relocated joomla.conf.

Note: Using this method, even if the Web server somehow delivers the contents of PHP files, for example due to a misconfiguration, nobody can see the contents of the real configuration file.

Back to Security FAQ Table of Contents

Keywords: FAQ, security, config, configuration, configuration.php, public_html, web_root, secure files

_________________
Home: http://www.ronliskey.com
Business http://www.communitygrove.com


Last edited by rliskey on Wed Jan 24, 2007 1:30 am, edited 1 time in total.

Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 1 post ] 



Who is online

Users browsing this forum: No registered users and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group