Jump to content

TzFiles


The Little Guy

Recommended Posts

Well, actually, I know a lot about your server.
http://tzfiles.com/users/demo/phpinfo.php

I was successfully able to view your directory and what files you had. I have a lot of suggestions for you.

#1. Put your important files (like the db.php) BELOW the /public_html/ area. This will only allow the server to execute that file, and not somebody from an outside source.

#2. Please do something about the PHP issue. Looking at your other thread, I thought you figured out the CHMOD issue. However, I was still able to upload a PHP file and execute it. See #3 and #4 for suggestions:

#3 When uploading a PHP file, rename the file to like .phps (as long as you keep it that way in the PHP settings)

#4 With [b]ANY[/b] executable file, have the server zip the file. Link: http://us2.php.net/manual/en/ref.zip.php


Hopefully, one of these solutions will work out for you. Right now, you have a really big security hole you need to plug. I would recommend playing around with these options, or if you don't have the time right now, you should disable uploading executable files (.php .js .exe etc..)

Link to post
Share on other sites
I only have acces to ryannaddy and everything to the right

/home/.marble/ryannaddy/tzfiles.com/filename.something

So where would i put db.php? right now it is in tzfiles.com should I move it to ryannaddy? If i move it there, how do I tell my files to connect to it?

Thanks, all of the solutions are ones I want to fix, and I need to fix all those holes.

securing db.php was the main Idea of this thread:

http://www.phpfreaks.com/forums/index.php/topic,121909.0.html

for number #2 I did fix it, but when The file was uploaded, it wouldn't allow me to fread()/fwrite()/fopen(), so I temporarily allowed files to be run on the server. What chmod should I use?
Link to post
Share on other sites
#1 was fixed by makeing my db.php file look like this:
[code]
<?php

if(basename(__FILE__) == basename($_SERVER['PHP_SELF'])) send_404(); 

$dbHost = "localhost";        //Location Of Database usually its localhost
$dbUser = "xxxxx";                        //Database User Name
$dbPass = "xxxxx";                        //Database Password
$dbDatabase = "file_host";              //Database Name

$db = mysql_connect("$dbHost", "$dbUser", "$dbPass") or die ("Error connecting to database.");
mysql_select_db("$dbDatabase", $db) or die ("Couldn't select the database.");

function send_404()
{
    header('HTTP/1.x 404 Not Found');
    print '<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">'."\n".
    '<html><head>'."\n".
    '<title>404 Not Found</title>'."\n".
    '</head><body>'."\n".
    '<h1>Not Found</h1>'."\n".
    '<p>The requested URL '.
    str_replace(strstr($_SERVER['REQUEST_URI'], '?'), '', $_SERVER['REQUEST_URI']).
    ' was not found on this server.</p>'."\n".
    '</body></html>'."\n";
    exit;
}

?> [/code]
Link to post
Share on other sites
...I wonder how my "Kill Spiders" button got on there. Maybe I forgot to delete it after I used it for testing. :-\

Anyway, everything is looking good, but the header seems kind of empty, to the right of the name. Maybe you should put a simple "Welcome back, USERNAME" up there.
Link to post
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.