Page 1 of 1

You MUST move Joomla configuration in the database.

Posted: Sun Feb 22, 2009 7:00 am
by WebMaestro
Hi guys.

My name is Abdoulaye Siby aka Asiby aka WebMaestro.

You are doing an awesome job with Joomla. Keep it up.

I have be developing for Mambo and Joomla for several years now and I also do for Drupal and A2Billing. After dealing with several hacking situations involving Joomla, I have realized that there is one thing that you can add in order to improve the security.

I have noticed that it is required that the configuration file and many folders must have the 777 permission in order for Joomla to work properly on a web hosting environment. That is pretty unsafe. Also, making configuration.php read-only will negate the global configuration as it would prevent even the super administrator from modifying Joomla's global configuration on the fly.

Now, Joomla's is using class JConfig to contain all the configuration options. I suggest that you move all the configuration (except the database settings) into the database. JConfig class will look roughly like the following.

Code: Select all

<?php
class JConfig {
    /* Database Settings */
    var $tablename = "configuration";
    var $dbtype = 'mysqli';
    var $host = 'localhost';
    var $user = 'myusername';
    var $password = 'mysecret';
    var $db = 'my';
    var $dbprefix = 'jos_';

    public function __construct(){
        /**
         * Connect to the DB here or make sure that the framework does it 
         * before any configuration variable is either read or written
        **/
    }

    public function __get($var) {
            //Query: SELECT $var FROM {#__$this->tablename};
            $value = <<result of the above query>>;
            return $value;
    }

    public function __set($var, $val) {
            //Query: UPDATE {#__$this->tablename} SET $var = '$val';
    }
}


The above code does not require any change in the existing modules that access the configuration options properly. Simply accessing or setting a configuration settings will be enough. PHP will use the magic functions __get() and __set() to do the rest.

After moving the config in the DB, the configuration.php file can be permanently have a read-only permission while the admin user will still enjoy the admin interface. I understand that some changes will be required in the admin interface because it is currently reading and saving all the global configuration data in the flat file.

Cheers

A. Siby

Re: You MUST move Joomla configuration in the database.

Posted: Wed Feb 25, 2009 6:16 pm
by bobbravo2
Great idea

Re: You MUST move Joomla configuration in the database.

Posted: Wed Feb 25, 2009 8:34 pm
by dattard
I prefer it that way it is. The "raw" configuration is done via config file, and then all parameters are in the database.

What if you need to change the database? The way it is, it is dead easy to migrate.
I have noticed that it is required that the configuration file and many folders must have the 777 permission in order for Joomla to work properly on a web hosting environment
That means the webhost you are using sucks big time and you should change it. Not a very valid excuse to move the configuration database out of the database.

Re: You MUST move Joomla configuration in the database.

Posted: Wed Feb 25, 2009 8:46 pm
by bobbravo2
If you need to change the database why not just edit it via phpMyAdmin?

Re: You MUST move Joomla configuration in the database.

Posted: Wed Feb 25, 2009 9:06 pm
by mic
bobbravo2 wrote:If you need to change the database why not just edit it via phpMyAdmin?
While the idea moving the config into the database is very old (was once at Mambo's time i remember), not every 'Webmaster' is a web master!

Re: You MUST move Joomla configuration in the database.

Posted: Wed Feb 25, 2009 9:30 pm
by bobbravo2
righty right right...okay I've been convinced as to the utility of configuration.php as a flatfile database

Re: You MUST move Joomla configuration in the database.

Posted: Thu Feb 26, 2009 5:21 pm
by WebMaestro
dattard wrote:I prefer it that way it is. The "raw" configuration is done via config file, and then all parameters are in the database.

What if you need to change the database? The way it is, it is dead easy to migrate.
Seriously, do you really don't know what to do when it comes time to change the database?. For crying out loud, the entire content of the web site is sitting in a database. If that should be a problem, then I guess that we will be screwed. :eek: . Come on, think outside the box and really think about it. If you really need to change the DB, then DUMP everything and import it in the new DB.

The only things that should be kept inside configuration.php are the configuration options that will never and should never be changed from the Admin interface (db username, db password, db port, db host, and maybe a few others). After doing that, the other options can be considered as Site "Parameters" and moved in a DB. You said that you wanted the "raw" configuration is done via config file, and then all parameters are in the database. Then that's my idea also. The only difference is that you want the entire list of configuration options to stay in the flat file while being editable from the Admin UI.

I haven't personally seen a single web hosting company that let's you modify configuration.php when its permission is set to 755 which the expected behavior. It's easy to say that the web hosting company sucks. But suggesting that we should just avoid them does not fix this security risk.

I don't know what you guys really think about this, but I thought it was a common sense thing. The current way to go does not make any sense to me anymore.

Cheers

Abdoulaye Siby

Re: You MUST move Joomla configuration in the database.

Posted: Thu Feb 26, 2009 6:06 pm
by bobbravo2
Would you mind posting what you'd leave in the current configuration.php file?

Re: You MUST move Joomla configuration in the database.

Posted: Thu Feb 26, 2009 6:12 pm
by Tonie
For configuration.php, the easiest is to make sure that the owner of that file is your FTP user which you can always do, regardless of hosting party. Set the permissions to 755. If you need to change something, set it temporarily to 777, make the change and change it back to 755. This is safer than having the Apache user ownership on the file.

Re: You MUST move Joomla configuration in the database.

Posted: Fri Feb 27, 2009 6:17 pm
by dattard
The only things that should be kept inside configuration.php are the configuration options that will never and should never be changed from the Admin interface (db username, db password, db port, db host, and maybe a few others). After doing that, the other options can be considered as Site "Parameters" and moved in a DB. You said that you wanted the "raw" configuration is done via config file, and then all parameters are in the database. Then that's my idea also. The only difference is that you want the entire list of configuration options to stay in the flat file while being editable from the Admin UI.
Agreed here. DB connect stuff should be kept outside the db :)

Rest of the stuff can go into the database itself ...

Re: You MUST move Joomla configuration in the database.

Posted: Fri Feb 27, 2009 7:25 pm
by WebMaestro
Yes, indeed.
Tonie wrote:For configuration.php, the easiest is to make sure that the owner of that file is your FTP user which you can always do, regardless of hosting party. Set the permissions to 755. If you need to change something, set it temporarily to 777, make the change and change it back to 755. This is safer than having the Apache user ownership on the file.
Hello Tonie, I have tried that. But the problem is that the person working on the web site is not always a "web master" as dattard mentioned it earlier. Sometimes they don't even know the ftp information and we don't want them to know it. That will make it difficult for them to change the permissions from time to time.

Cheers

Re: You MUST move Joomla configuration in the database.

Posted: Fri Feb 27, 2009 7:27 pm
by JeremyRReger
bobbravo2 wrote:Would you mind posting what you'd leave in the current configuration.php file?

good question...

Re: You MUST move Joomla configuration in the database.

Posted: Fri Feb 27, 2009 9:39 pm
by WebMaestro
These ...

Code: Select all

...
/* Database Settings */
var $dbtype = 'xxxxxxx';
var $host = 'xxxxx';
var $user = 'xxxxx';
var $password = 'xxx';
var $db = 'xxxxxxx';
var $dbprefix = 'jos_';
...

Re: You MUST move Joomla configuration in the database.

Posted: Fri Feb 27, 2009 9:50 pm
by brad
Run suphp (among other things), and then this will not be an issue. You will be able to edit your Joomla Global Configuration via your Joomla admin.

Re: You MUST move Joomla configuration in the database.

Posted: Sun Mar 01, 2009 12:45 am
by WebMaestro
Thanks but IMHO that will be just as bad. Running suPHP sounds to me like chmoding everything to 777. If we use suPHP for executing PHP scripts with the permissions of their owners, it will mean that every single visitor will potentially have the same permissions as the owner, which will include the "write access". Bad idea. Beside, suPHP is a module. That make matters worst. It's difficult enough to convince a Web hosting company to simply turn register_globals OFF or to activate "AllowOverride". They will most likely refuse to install suPHP.

Cheers

Re: You MUST move Joomla configuration in the database.

Posted: Sun Mar 01, 2009 12:57 am
by brad
The exact opposite.. suphp requires you to chmod to 644 for files and 755 for folders.

If a webhosting company doesn't offer you an appropriate service for you needs.. leave.

You may wish to read my strong feelings on the matter here:
http://community.joomla.org/team-blogs/ ... en-up.html
http://community.joomla.org/blogs/leade ... we-do.html
http://community.joomla.org/team-blogs/ ... -time.html

I have VERY strong views on this matter, as good hosting is one of the main parts of a secure website.

Re: You MUST move Joomla configuration in the database.

Posted: Sun Mar 01, 2009 1:54 am
by WebMaestro
brad wrote:The exact opposite.. suphp requires you to chmod to 644 for files and 755 for folders.
Good. Thanks for the info.
brad wrote:If a webhosting company doesn't offer you an appropriate service for you needs.. leave.
The idea here is to do things in a way that will avoid closing door on opportunities. Wehn building applications should be the one building it in a way that will be compatible with already existing infrastructure. And that is not impossible. It will only make your application less popular if it require a very specific configuration on servers. It like what happening with Internet Explorer versus the other browsers. Many people will make it clear on their Web site that it is only compatible with such and such web browser. That an easy way out. They should be thinking about what they can do to be compatible with the other browser. That same approach applies here. Someone said so well that "when pointing a finger to someone else, there are 4 other fingers pointing back at you". I am not looking for an easy way out. Have you ever used Drupal (among others)? If you did, then what do you think about the setting file (or instance default.php) versus the joomla's configuration.php "security wise". If you didn't, then learn about it. It is extremely powerful in comparison to Joomla. No offense guys. I use them both extensively, and that's my opinion. And to be honest, when it comes to the things related to configuration.php, Joomla is a less portable CMS. That's the only thing that I was trying to address here. I know how to temporarily work around these issues, but the solutions will often take away the advantage of using a CMS and the user-friendliness of the whole thing.

I think that there is not much that I can add to this thread. I just wanted to send a message to the Joomla Dev team and the community at the same time. People can take it or just leave it as a background noise. Fine by me. If I find the time to do it, I will have a patch that I will simply apply to each Joomla install that I will do. The dev team members are skillful enough to be able to implement this concept. Again, I just wanted to send the message.

Thanks for you replies.

I'm out of here.

Cheers guys.

Re: You MUST move Joomla configuration in the database.

Posted: Sun Mar 01, 2009 1:59 am
by brad
If you choose to drive a car knowingly with a poor safety rating, in the case of an accident, you can't blame the car. The same goes for your choice of webhost. There are many other there, there is no best web host though, only the one best for you. I'm glad you are happy with the current situation you find yourself in.

Thanks for sharing your thoughts on the matter, but security is not only a Joomla thing.. it also relies on other factors.

Re: You MUST move Joomla configuration in the database.

Posted: Fri Mar 06, 2009 12:51 pm
by Hackwar
What do you guys think would be gained by moving the not-db-related config options to the database? In the end, it doesn't matter what you do, if you gained access to the system and have been able to read the configuration.php with the db connection settings, you will be able to change the database and do whatever you want. Also, setting a file/folder to 666/777 does not mean that automatically everybody can edit those files. you still need a security hole in your system to get in and if there is a security hole to get in, you already can edit the database and change whatever you want.

Re: You MUST move Joomla configuration in the database.

Posted: Thu Mar 12, 2009 1:33 am
by Umbungo
Thats insane
Joomla is slow enough as it is
Why not use the site key to encript a flat file database, which in turn is only updated when database input occurs.

This would speed joomla up massivly for users on shared hosting solutions (the majority) and kill Joomlas reputation of being a slow CMS.

Alot of users don't know how to use .htaccess which helps protect from injection attacks.

Pehaps a better solution would be to make all querys pass through a filter using a few lines of code, ensuring that injection attacks fail everytime.

Appart from adding a radio button in joomla that allows you to place modules in 'all but these' locations, I can't think of anything better that Joomla desperatly needs.

Re: You MUST move Joomla configuration in the database.

Posted: Thu Mar 12, 2009 10:14 am
by Bongo
Some could move to the DB but some cannot.

This is my real world situation:
1) I almost always develop on my own machine park and after tests and approval then I move the installation to the customers webhotel or I have a subcontractor to do that job.

2) The customers webhotels either offers access to myql thru phpadmin or on a few occassions the webhotel admins / customers IT-dept. loads the database with the database dump from my machine.

So I need to be able to set physical path, db access, live site URL, after I've loaded the final database with the content.

While it is possible to manually tweak some fields sometimes I don't even have access to the database from where I am. Shure I have the id & pass but usually the id is restricted to localhost or a machine within the webhotel NAT.

I also want to be able to set the site online/offline if the database host is down or has errors.

So I'd keep these lines which are the ones I need to reconfig whenever I move an installation from development to production to the customers webhotel / private server / whatever.


var $live_site = 'http://mydevelopmentmachine.mydomain.se/customer44';
#
var $offline_message = 'Webbplatsen är stängd för underhåll. Välkommen tillbaka senare.';
var $offline = '0';
#
var $dbtype = 'mysql';
var $host = 'mydevelopmentmysqlhost';
var $user = 'mydevelopmentuser';
var $password = 'pw';
var $db = 'mydevelopmentdatabase';
#
var $log_path = '/customers/xxx/xxx/httpd.www/logs';
var $tmp_path = '/customers/xxx/xxx/httpd.www/tmp';

Re: You MUST move Joomla configuration in the database.

Posted: Thu Mar 12, 2009 11:29 am
by Umbungo
Hi Bongo
There are some very nice Joomla SQL extentions available that will let you manipulate the database in almost any way you like!

Hop over to here: Joomla Databse Extentions and take a peek if you haven't already :eek:

Hope this helps you out a little :)

Re: You MUST move Joomla configuration in the database.

Posted: Mon Dec 07, 2009 11:39 am
by kurchania
Hello All,

I want to develop a system in which we have same joomla file structure but we use different database to design Multi Vendor systems using same file but with different database. For that I try to following things:-

1. Create the database that contains all the essential parameter of configuration.php and the name of url.

assign its value at runtime in constructor. The database contain all the parameter of configuration.php and generate them at the runtime on the basis of site url.