access permissions

Permalink
I'm new to web dev, and noticed that an outsider can get to my db.xml files (e.g.http://www.bkk.upm.edu.my/concrete/config/db.xml... ).

I have .htaccess set to Options -Indexes, but that's not enough for someone to guess a directory structure.

What do I need to do to completely prevent someone from having access to these files?

thanks,

rich

View Replies:
michaelmior replied on at Permalink Reply
michaelmior
I'm seeing a 404 on the link now. Does this mean you resolved your issue?
richbl replied on at Permalink Reply
The issue still stands.

The link example is not my site, but it exercises the problem wherein if someone knows the site hierarchy (in this case, for Concrete5), they can access files directly. In this example, a db.xml file.

rich
frz replied on at Permalink Reply
frz
1) this is a sever config issue. setup your server to not allow folks to read files of extensions you don't want..

2) what file is it we're worried about here? where's the security risk?
andrew replied on at Permalink Reply
andrew
I think with some .htaccess directives you could make it so that any requests from browsers for db.xml would be ignored (but the system would still be able to read it just fine.)

But more importantly - I'm not sure this is a huge issue. The software is open source, and the tables are always the same. So if someone knows you're running concrete5 (which they would have to, in order to know to look in that spot.) they'd also be able to just download the software for themselves to learn what tables the system creates. It's not like that file contains any privileged information - it's just the schema for the database.

Now, if it were config/site.php that were readable through the browser, that would be a big deal - but this file is not very sensitive at all.