nuBuilder Forum


https://forums.nubuilder.cloud/

Security of nuconfig.php

https://forums.nubuilder.cloud/viewtopic.php?t=9810

Page 1 of 1

Security of nuconfig.php

Posted: Fri Feb 01, 2019 4:42 pm
by Janusz
Hi,
I am wondering how much and in which way Apache2 is protecting the nuconfig.php file.

Can you please share some opinion or experience on it?

I did some trials and fortunatelly - was not able to download or read nuconfig.php from external server.
(but maybe others can do)

Normally issuing the wget you can download majority of the files like for example:
wget https://aaa.aaaaa.aa/nuform.js
or
wget https://aaa.aaaaa.aa/nubuilder4.sql
or ....

Fortunatelly wget https://aaa.aaaaa.aa/nuconfig.php - is not working :-)

Re: Security of nuconfig.php

Posted: Fri Feb 01, 2019 6:04 pm
by kev1n
If the server is configured correctly, you cannot download a PHP file. It will be executed when called via the webserver. The only way to see what it does is to gain access to the server via SSH or FTP or some other method.

This is because PHP is a serverside language, all the actions are performed on the server, then the result is sent to your browser (which is clientside).

Re: Security of nuconfig.php

Posted: Fri Feb 01, 2019 8:26 pm
by Janusz
Thanks, for your reply.
I did some more test and - some other php files like index.php, nuace.php, and few more can be downloaded - but in fact they are not real php file inside.
So it looks like that besides checking php extention Apache2 is as well analysis content of the file if it is really php code inside.

but if for example I change the name of the nuconfig.php to nuconfig.php.bak
then I take easilly download the latest one.

Re: Security of nuconfig.php

Posted: Sat Feb 02, 2019 5:56 am
by kev1n
This page provides some general hints for Apache servers running PHP applications.
https://www.conftool.net/technical_docu ... hints.html

An excerpt from it:

Security Hints for PHP/MySQL Applications



Access to Backup Files
It is advisable to block access to all backup files

Limit Network Access
If not required, block network access to the MySQL database server from other hosts.

Update Default Root User
Many distributions install a "root" MySQL user without any password. Make sure to set a password for the "root" user after a new server installation.

PHP Security Settings
Some PHP functions can make your system vulnerable, as they provide access to system resources, parameters or files.
All times are UTC+02:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited