Welcome to the nuBuilder Forums!

Register and log in to access exclusive forums and content available only to registered users.

Security of nuconfig.php

Questions related to using nuBuilder Forte.
Post Reply
Janusz
nuBuilder Team
Posts: 506
Joined: Fri Dec 28, 2018 1:41 pm
Location: Krakow, Poland
Has thanked: 8 times
Been thanked: 18 times

Security of nuconfig.php

Unread post by Janusz »

Hi,
I am wondering how much and in which way Apache2 is protecting the nuconfig.php file.

Can you please share some opinion or experience on it?

I did some trials and fortunatelly - was not able to download or read nuconfig.php from external server.
(but maybe others can do)

Normally issuing the wget you can download majority of the files like for example:
wget https://aaa.aaaaa.aa/nuform.js
or
wget https://aaa.aaaaa.aa/nubuilder4.sql
or ....

Fortunatelly wget https://aaa.aaaaa.aa/nuconfig.php - is not working :-)
If you like nuBuilder, please leave a review on SourceForge
Top
kev1n
nuBuilder Team
Posts: 4307
Joined: Sun Oct 14, 2018 6:43 pm
Has thanked: 71 times
Been thanked: 448 times
Contact:
Contact kev1n

Re: Security of nuconfig.php

Unread post by kev1n »

If the server is configured correctly, you cannot download a PHP file. It will be executed when called via the webserver. The only way to see what it does is to gain access to the server via SSH or FTP or some other method.

This is because PHP is a serverside language, all the actions are performed on the server, then the result is sent to your browser (which is clientside).
Top
Janusz
nuBuilder Team
Posts: 506
Joined: Fri Dec 28, 2018 1:41 pm
Location: Krakow, Poland
Has thanked: 8 times
Been thanked: 18 times

Re: Security of nuconfig.php

Unread post by Janusz »

Thanks, for your reply.
I did some more test and - some other php files like index.php, nuace.php, and few more can be downloaded - but in fact they are not real php file inside.
So it looks like that besides checking php extention Apache2 is as well analysis content of the file if it is really php code inside.

but if for example I change the name of the nuconfig.php to nuconfig.php.bak
then I take easilly download the latest one.
If you like nuBuilder, please leave a review on SourceForge
Top
kev1n
nuBuilder Team
Posts: 4307
Joined: Sun Oct 14, 2018 6:43 pm
Has thanked: 71 times
Been thanked: 448 times
Contact:
Contact kev1n

Re: Security of nuconfig.php

Unread post by kev1n »

This page provides some general hints for Apache servers running PHP applications.
https://www.conftool.net/technical_docu ... hints.html

An excerpt from it:

Security Hints for PHP/MySQL Applications



Access to Backup Files
It is advisable to block access to all backup files

Limit Network Access
If not required, block network access to the MySQL database server from other hosts.

Update Default Root User
Many distributions install a "root" MySQL user without any password. Make sure to set a password for the "root" user after a new server installation.

PHP Security Settings
Some PHP functions can make your system vulnerable, as they provide access to system resources, parameters or files.
Top
Post Reply

Return to “General”