Zastita configuration.php [RESENO]

Moderators: cicans, TheHacker

Locked
User avatar
Leftfield
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 4432
Joined: Fri Dec 08, 2006 3:33 am
Contact:

Zastita configuration.php [RESENO]

Post by Leftfield » Sat Jun 02, 2007 9:47 am

Koliko je ova komponenta -> Protect Configuration File stabilna i koliko moze da pomogne?

Ja sam je probao na jednom sajtu i odradjuje posao. Na drugom sajtu sam rucno prepravljao ime configuration.php i sve pozive na njega.
Al znajuci za samu sigurnost u php-u koliko ima smisla mijenjati ime configuration.php-a?

Koji je bolji nacin?
Last edited by Leftfield on Sat Jun 02, 2007 1:19 pm, edited 1 time in total.
Joomla Templates and Plugins /https://youjoomla.com/

User avatar
emav
Joomla! Intern
Joomla! Intern
Posts: 58
Joined: Fri Nov 03, 2006 7:39 pm
Location: Thessaloniki, Greece

Re: Zastita configuration.php

Post by emav » Sat Jun 02, 2007 11:09 am

I'm afraid I don't speak Serbian but I'll try to answer your first question which I think I understood (I speak a little bit of Bulgarian). Hopefully, you can understand English.

So, far no serious bug has been reported. Actually, the only bug report that appears on joomlacode.com does not have to do with the component per se but with ownership issues on the user's server. However, as the component itself warns during installation, backing up your site is recommended to avoid any problems (just in case I have missed something while writing the code).

It does offer some degree of protection against direct attacks on your configuration file. At least, it's not left lying where any hacker would expect it to be and you can change its permissions any time you like. So, actually, the component automates a security procedure that has previously been proposed on this forum and facilitates the manipulation of your configuration file making it writable when you need to change some configuration options but keeping it unwritable otherwise. It is not a foolproof mechanism against all kinds of attacks but it certainly helps.

Please, note that you need to use the "restore" option any time you need to install a new extension and "protect" your configuration file again afterwards.

User avatar
BSD
Joomla! Ace
Joomla! Ace
Posts: 1948
Joined: Thu Aug 18, 2005 8:32 am
Location: Belgrade, Serbia
Contact:

Re: Zastita configuration.php

Post by BSD » Sat Jun 02, 2007 11:53 am

Thank's for the info emav.:)

Jedno od lepih resenja za zastitu conf fajla kako jod Joomla! tako i kod drugog softvera jeste izmestanje u DIR koji nije deo web root-a. NA taj nacin je prakticno nemoguce izvrsiti config datoteku a opet sistem ce raditi sasvim lepo.:)
Marko Milenović
Member of the Serbian Joomla! Translation Team
http://www.joomla-serbia.com/

User avatar
Leftfield
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 4432
Joined: Fri Dec 08, 2006 3:33 am
Contact:

Re: Zastita configuration.php

Post by Leftfield » Sat Jun 02, 2007 12:46 pm

@emav

Thanks, you understand serbian well :)
Helpful answer about bugs, becouse there is not so mutch descriptions about it on extension page.

Thanks again.

@BSD

Pravo da ti kazem bio sam skeptik oko ove komponente ali sasvim pristojno radi :) doduse na jednom sajtu.
Samo me bilo strah bug-ova.
Joomla Templates and Plugins /https://youjoomla.com/

User avatar
BSD
Joomla! Ace
Joomla! Ace
Posts: 1948
Joined: Thu Aug 18, 2005 8:32 am
Location: Belgrade, Serbia
Contact:

Re: Zastita configuration.php [RESENO]

Post by BSD » Sat Jun 02, 2007 1:56 pm

Pa dovoljno je sto je pisano u PHP...vec je to samo po sebi bug.:D
Marko Milenović
Member of the Serbian Joomla! Translation Team
http://www.joomla-serbia.com/

User avatar
Vrlo Jak Tim
Joomla! Hero
Joomla! Hero
Posts: 2319
Joined: Mon Nov 07, 2005 12:58 am
Location: Bar, Crna Gora

Re: Zastita configuration.php

Post by Vrlo Jak Tim » Sat Jun 02, 2007 4:18 pm

emav wrote: Actually, the only bug report that appears on joomlacode.com does not have to do with the component per se but with ownership issues on the user's server.
How to override this problem? I have web site uploaded by FTP, too. After successful installation, component is not working.
I don't want to play around with permissions of any folder, digging for solution.
Do you have it?

Tnx

EDIT: 30 minutes later... :)
After few unsuccessful attempts to do something with configuration.php file, I expirienced problems on live site.
Namely, I tried to move (thru component) configuration.php into another folder. Result was - warning: Unable to create folder.
When I tried to remove configuration.php manually, to new folder, result was the same (warning).

Web site was not working well, indicating problem with path to configuration.php file.
I put manually configuration.php into new directory (according to the path in error warning), and now everything works fine.

What to do next? To not touch anything (my favourite! :) ) because site is working fine, or to try to restore configuration.php...
Two beers, or not two beers...
Last edited by Vrlo Jak Tim on Sat Jun 02, 2007 4:48 pm, edited 1 time in total.
Dragan Djordjevic
Member of Joomla! Montenegrin Translation Team
http://www.joomlamontenegro.com

User avatar
emav
Joomla! Intern
Joomla! Intern
Posts: 58
Joined: Fri Nov 03, 2006 7:39 pm
Location: Thessaloniki, Greece

Re: Zastita configuration.php

Post by emav » Sat Jun 02, 2007 4:32 pm

Vrlo Jak Tim wrote:How to override this problem? I have web site uploaded by FTP, too. After successful installation, component is not working.
I don't want to play around with permissions of any folder, digging for solution.
Do you have it?
For the time being, you can only do the necessary changes manually. However, I'm currently preparing version 2 of Protect Configuration File which will offer options to automatically change the permissions and ownerships of all files in the Joomla! folder and its subfolders. Stay tuned!

User avatar
Vrlo Jak Tim
Joomla! Hero
Joomla! Hero
Posts: 2319
Joined: Mon Nov 07, 2005 12:58 am
Location: Bar, Crna Gora

Re: Zastita configuration.php [RESENO]

Post by Vrlo Jak Tim » Sat Jun 02, 2007 5:23 pm

Tnx for prompt answer!
Now, would you be so kind to help me with another issue. I want to restore original location/name for configuration.php.

I have two configuration.php files. One is in the root, let's call it "old" file. Another, "new" file is in folder I created manually. Web site is running fine.

I tried to Restore configuration.php thru component, but without success. (Normally, there IS configuration.php - "old" one).
I renamed "old" file, and then tried to aply Restore. Again, without success.

I left "old" file renamed - web site is not working, attempting to install Joomla (looking for "Installation" folder).

So... wandering now... what will happen if I try to install component which is calling itself to configuration.php file?

My configuration:
Joomla 1.0.12
PHP 4.x
MySQL 5.x
SMF Bridge 1.1.7 (Orstio's bridge)
Dragan Djordjevic
Member of Joomla! Montenegrin Translation Team
http://www.joomlamontenegro.com

User avatar
emav
Joomla! Intern
Joomla! Intern
Posts: 58
Joined: Fri Nov 03, 2006 7:39 pm
Location: Thessaloniki, Greece

Re: Zastita configuration.php [RESENO]

Post by emav » Sat Jun 02, 2007 6:36 pm

Vrlo Jak Tim wrote:I have two configuration.php files. One is in the root, let's call it "old" file. Another, "new" file is in folder I created manually. Web site is running fine.
Let me see if I got this right. Do you mean that you want to switch from one configuration file to the other on the fly? Or do you simply want to dump the old file and use the new one from now on?
Vrlo Jak Tim wrote:I tried to Restore configuration.php thru component, but without success. (Normally, there IS configuration.php - "old" one).
Here's how the component works. It first checks what's the current name of the configuration file. If you choose to change the name or the location of your configuration file, the component attempts to copy the file to the new location/name and then update all other files in your Joomla! folder that refer to configuration.php with the new location/name. If all ends well, the old configuration file is deleted and a success message is displayed. If it fails, all changes are reversed to avoid breaking your site.

Naturally, the "restore" option can only be used if configuration.php is missing. If it's there or there are references to it in your joomla core files, no changes can be made.
Vrlo Jak Tim wrote:I renamed "old" file, and then tried to aply Restore. Again, without success.

I left "old" file renamed - web site is not working, attempting to install Joomla (looking for "Installation" folder).

So... wandering now... what will happen if I try to install component which is calling itself to configuration.php file?
As I mentioned in my previous message, if you decide to install a new extension (that includes a reference to configuration.php) after renaming/moving your configuration file, you should use the "restore" option before installing it. You can rename/move your configuration file immediately afterwards. Even if you forget though, that shouldn't be a problem. Just use "restore" and your new extension will be functional in no time.

But, as I already said above, I'm not sure I understood exactly what you are trying to do. Please, elaborate further.

User avatar
Vrlo Jak Tim
Joomla! Hero
Joomla! Hero
Posts: 2319
Joined: Mon Nov 07, 2005 12:58 am
Location: Bar, Crna Gora

Re: Zastita configuration.php [RESENO]

Post by Vrlo Jak Tim » Sat Jun 02, 2007 7:15 pm

emav wrote: Let me see if I got this right. Do you mean that you want to switch from one configuration file to the other on the fly? Or do you simply want to dump the old file and use the new one from now on?
I want to switch back to original configuration.php file.
I can do it using backup, but it will be so easy :)
As I mentioned in my previous message, if you decide to install a new extension (that includes a reference to configuration.php) after renaming/moving your configuration file, you should use the "restore" option before installing it. You can rename/move your configuration file immediately afterwards. Even if you forget though, that shouldn't be a problem. Just use "restore" and your new extension will be functional in no time.
Problem is that in this case, in my case, this component is not working. I installed it regularly, but it is not working well. And... it made some confusions in my files. It works... let me say, half. For properly work of web site, I must use original configuration.php (it is in the root), together with "new" configuration.php, which I stored manually into new folder.

Why manually, and why new folder?
Because web site didn't work properly. My best guess is that component made changes to all Joomla files referring to original configuration.php, but failed to move it to new location. So, I moved it manually, and now I have two configuration.php files.
One on original location, other one on new location.
If I remove old one - web site is not working, calling me for Joomla installation.
If I remove new one - web site is not working, because "other files" are referencing to new location of configuration.php.

So... excuse me for my English. Hope you got it now.

How to get rid of new configuration.php, when Restore option is not working?
How to restore files into previous state, without using backup.
(Don't worry too much, I have got my backups :) )
Dragan Djordjevic
Member of Joomla! Montenegrin Translation Team
http://www.joomlamontenegro.com

User avatar
emav
Joomla! Intern
Joomla! Intern
Posts: 58
Joined: Fri Nov 03, 2006 7:39 pm
Location: Thessaloniki, Greece

Re: Zastita configuration.php [RESENO]

Post by emav » Sat Jun 02, 2007 9:06 pm

Vrlo Jak Tim wrote:I want to switch back to original configuration.php file.
I can do it using backup, but it will be so easy :)
True! And we wouldn't learn anything from it, would we?  :laugh:
Vrlo Jak Tim wrote:So... excuse me for my English. Hope you got it now.
Yep, I see now.
Vrlo Jak Tim wrote:How to get rid of new configuration.php, when Restore option is not working?
How to restore files into previous state, without using backup.
(Don't worry too much, I have got my backups :) )
Do you receive an error message when using "restore"? Did you receive any warnings when you renamed your configuration file?

Please, create a check.php file in your root folder with the following content:

Code: Select all

<?php

$find = 'configuration.php';

$path = realpath('.') . '/';

$exclude = array('/*No search here!*/');

foreach ( get_file_list( $path ) as $file ) {
	if ( $found = search( $file, $exclude, $find ) ) {
		echo "<b>$file</b><br />";
		foreach ( $found as $item ) {
			echo $item;
		}
	echo "<br /><br />";
	}
}

exit;

function get_file_list($path) {
    $file_list = array();

   	$handle = opendir($path);
    while ($file = readdir($handle)) {
    
   	    if ( !($file === '.' or $file === '..') ) {
   	    
       	    $fullfile = $path . $file;
           	if ( is_dir($fullfile) ) {
               	$filesnew = array();
                $dir = $fullfile . "/";
   	            $filesnew = get_file_list($dir);
       	        foreach ($filesnew as $file) {
           	        $file_list[] = $file;
               	}
            }
   	        elseif ( is_file($fullfile) & stristr($fullfile, '.php') == '.php' ) {
       	        $file_list[] = $fullfile;
           	}
            else {
   	            continue;
       	    }
       	    
        }
	        
   	}
    return $file_list;
}

function search($filename, $ignore_lines, $find){
	$found = array();
	$occurences = 0;
	$file_array = file($filename);
	for($i=0; $i<count($file_array); $i++){
		$continue_flag = 0;
		if(count($ignore_lines) > 0){
			for($j=0; $j<count($ignore_lines); $j++){
				if(substr($file_array[$i],0,strlen($ignore_lines[$j])) == $ignore_lines[$j]) $continue_flag = 1;
			}
		}
		if($continue_flag == 1) continue;
		if ( ereg( "$find", $file_array[$i] ) and substr($file_array[$i],0,2) != '//' ) {
			$line = $i + 1;
			$found[] = "line $line: <code>" . htmlentities( $file_array[$i] ) . "</code><br />";
		}
	}
	return $found;
}

?>
Use your browser to check the output. Replace 'configuration.php' with the name you used for your new configuration file and check the output again. Only a couple of files should appear in either one of these cases. Edit these files and change the name of the configuration file accordingly. This should solve your problems.

However, it would be interesting to know which files these are, what their permissions/ownerships are and whether the component works flawlessly afterwards.

User avatar
Vrlo Jak Tim
Joomla! Hero
Joomla! Hero
Posts: 2319
Joined: Mon Nov 07, 2005 12:58 am
Location: Bar, Crna Gora

Re: Zastita configuration.php [RESENO]

Post by Vrlo Jak Tim » Sat Jun 02, 2007 9:17 pm

I'll do it, and inform you here about results. Thanks for trying.

And, yes, I agree about backup... :) What is the point if we just replace all we messed up? :)



EDIT 1:
Do you receive an error message when using "restore"? Did you receive any warnings when you renamed your configuration file?
Yes, there are two types of warnings. In all cases, except restoring, warning was "unable to create folder".
About restoring, I tried two cases:
1. to overwrite existing: warning was something like "there is already file named configuration.php".
2. to rename "configuration.php", and then tried to restore "old" one. Warning was "unable to create folder."


EDIT 2:

Here are results of implementation of your tool (code from your previous post):

Code: Select all

/xxxx/xxxx/public_html/administrator/components/com_sef/admin.sef.php
line 36: 'yyyyy/yyyyy/configuration.php',

/xxxx/xxxx/public_html/administrator/components/com_smoothgallery/admin.smoothgallery.html.php
line 419: include ("../yyyyy/yyyyy/configuration.php");

/xxxx/xxxx/public_html/components/com_sef/sef.php
line 193: include( 'yyyyy/yyyyy/configuration.php' );
line 222: include( 'yyyyy/yyyyy/configuration.php' ); 
NB: yyyyy is name of folder which I tried to create during "Move" option. Moving with Component resulted by "unable to create folder", so I created it manually. I am still didn't getting out why I made two directories. :(
Last edited by Vrlo Jak Tim on Sat Jun 02, 2007 9:54 pm, edited 1 time in total.
Dragan Djordjevic
Member of Joomla! Montenegrin Translation Team
http://www.joomlamontenegro.com

User avatar
emav
Joomla! Intern
Joomla! Intern
Posts: 58
Joined: Fri Nov 03, 2006 7:39 pm
Location: Thessaloniki, Greece

Re: Zastita configuration.php [RESENO]

Post by emav » Sun Jun 03, 2007 7:15 am

Vrlo Jak Tim wrote:Yes, there are two types of warnings. In all cases, except restoring, warning was "unable to create folder".
About restoring, I tried two cases:
1. to overwrite existing: warning was something like "there is already file named configuration.php".
2. to rename "configuration.php", and then tried to restore "old" one. Warning was "unable to create folder."
"Unable to create folder" means that you tried to move your configuration file to a folder that did not exist and could not be created either because the top folder is unwritable or because apache doesn't have ownership of that folder.

Normally, this error message would simply abort the whole procedure and reverse all changes (if any were made) unless, by any chance, it was interrupted, which is probably what happened here.
Vrlo Jak Tim wrote:

Code: Select all

/xxxx/xxxx/public_html/administrator/components/com_sef/admin.sef.php
line 36: 'yyyyy/yyyyy/configuration.php',

/xxxx/xxxx/public_html/administrator/components/com_smoothgallery/admin.smoothgallery.html.php
line 419: include ("../yyyyy/yyyyy/configuration.php");

/xxxx/xxxx/public_html/components/com_sef/sef.php
line 193: include( 'yyyyy/yyyyy/configuration.php' );
line 222: include( 'yyyyy/yyyyy/configuration.php' ); 
If these three files are the only ones that refer to your new configuration file, just edit them and delete 'yyy/yyy/' in the lines mentioned above. Note that '../' should be left intact before configuration.php in line 419 of admin.smoothgallery.html.php
Vrlo Jak Tim wrote:NB: yyyyy is name of folder which I tried to create during "Move" option. Moving with Component resulted by "unable to create folder", so I created it manually. I am still didn't getting out why I made two directories. :(
This is probably due to the fact that you applied the procedure twice... Maybe you clicked 'apply' twice when you tried to move your configuration file. This is bound to interrupt and reapply the procedure which will result in a broken site. That's why I recommend backing up your site before using the component. It is a procedure that needs a few seconds to complete but nobody knows what might go wrong in the meantime with your web server, the connection between your computer and your server and so on.

User avatar
Vrlo Jak Tim
Joomla! Hero
Joomla! Hero
Posts: 2319
Joined: Mon Nov 07, 2005 12:58 am
Location: Bar, Crna Gora

Re: Zastita configuration.php [RESENO]

Post by Vrlo Jak Tim » Sun Jun 03, 2007 9:02 pm

Thanks for trying emav, very kind of you, I appreciate it.

I restored backup to web site we talked about, just to be sure that everything is the same like b4.

I just finished testing with web site installed with Fantastico (first one was FTP uploaded), and component works fine.

Happy trails,
VJT
Dragan Djordjevic
Member of Joomla! Montenegrin Translation Team
http://www.joomlamontenegro.com


Locked

Return to “Bezbednost”