config.php security?

[nivekiam]

I just tried denying access to config.php using .htaccess.  It works and doesn't appear to break anything.  So if someone requests that file directly they'll get a 403 error, but Apache and PHP can still read it to get the info out of it they need.

# Deny access to config.php


order allow,deny
deny from all


EDIT: FIXED so it shouldn't break TinyMCE anymore.... Don't use a tilde, otherwise it'll break TinyMCE.  Note I do not know if this will break other functions of CMSms.  I found a few other files named config.php  If you want to use this hack to "protect" config.php you may need to go into the other directories where there is a config.php file and specifically allow that file.

The reason this broke TinyMCE was because that tinyconfig.php gets loaded as javascript and wasn't getting loaded.

[giggler]

Thanks a bunch...will try that out!


UPDATE: that' seem to have worked when I tried disabling php on another server. It gives a "forbidden" instead of downloading the file. I think this should be added to the default cmsms htaccess.

Does anyone know what the difference is:


    Order allow,deny
    Deny from all



Order deny,allow
  Deny from all

[nivekiam]

I don't do regex (regular expressions) only because I haven't been able to wrap my head around them yet.

But one looks it's denying files named .ht Your host must be using .ht for the AccessFileName directive in httpd.conf

The other one is denying any file that end with .inc

There is a way to actually combine those into one statement, but I know I would get the syntax wrong.

[Pierre M.]

Hello nivekiam,

feel free to add your config.php protection tip in the documentation. May be some commented lines in the URL filtering .htaccess example of the "optional settings".

Pierre M.

[JohnnyB]

I've been using Allow from env=REDIRECT_STATUS inside this snippet to secure config.php:

Code: Select all

<Files "config.php">
order allow,deny
deny from all
Allow from env=REDIRECT_STATUS
</Files>

Seems to be ok.