Security of nuconfig.php

Questions related to using nuBuilder Forte.

Security of nuconfig.php

Postby Janusz » Sat Feb 02, 2019 1:12 am

Hi,
I am wondering how much and in which way Apache2 is protecting the nuconfig.php file.

Can you please share some opinion or experience on it?

I did some trials and fortunatelly - was not able to download or read nuconfig.php from external server.
(but maybe others can do)

Normally issuing the wget you can download majority of the files like for example:
wget https://aaa.aaaaa.aa/nuform.js
or
wget https://aaa.aaaaa.aa/nubuilder4.sql
or ....

Fortunatelly wget https://aaa.aaaaa.aa/nuconfig.php - is not working :-)
Janusz
 
Posts: 257
Joined: Fri Dec 28, 2018 10:11 pm
Location: Krakow, Poland

Re: Security of nuconfig.php

Postby kev1n » Sat Feb 02, 2019 2:34 am

If the server is configured correctly, you cannot download a PHP file. It will be executed when called via the webserver. The only way to see what it does is to gain access to the server via SSH or FTP or some other method.

This is because PHP is a serverside language, all the actions are performed on the server, then the result is sent to your browser (which is clientside).
kev1n
 
Posts: 359
Joined: Mon Oct 15, 2018 2:13 am

Re: Security of nuconfig.php

Postby Janusz » Sat Feb 02, 2019 4:56 am

Thanks, for your reply.
I did some more test and - some other php files like index.php, nuace.php, and few more can be downloaded - but in fact they are not real php file inside.
So it looks like that besides checking php extention Apache2 is as well analysis content of the file if it is really php code inside.

but if for example I change the name of the nuconfig.php to nuconfig.php.bak
then I take easilly download the latest one.
Janusz
 
Posts: 257
Joined: Fri Dec 28, 2018 10:11 pm
Location: Krakow, Poland

Re: Security of nuconfig.php

Postby kev1n » Sat Feb 02, 2019 2:26 pm

This page provides some general hints for Apache servers running PHP applications.
https://www.conftool.net/technical_docu ... hints.html

An excerpt from it:

Security Hints for PHP/MySQL Applications



Access to Backup Files
It is advisable to block access to all backup files

Limit Network Access
If not required, block network access to the MySQL database server from other hosts.

Update Default Root User
Many distributions install a "root" MySQL user without any password. Make sure to set a password for the "root" user after a new server installation.

PHP Security Settings
Some PHP functions can make your system vulnerable, as they provide access to system resources, parameters or files.
kev1n
 
Posts: 359
Joined: Mon Oct 15, 2018 2:13 am


Return to General