Pligg and insecure settings.php

apps

#1

Hi – I’ve installed Pligg using an advanced one-click install and it’s working like a dream.

I’ve been attempting to secure things. One issue is worrying me – settings.php is viewable by the world. Just type example.com/settings.php and you get the following in your browser window:

Warning: include_once(mnmincludesettings_from_db.php) [function.include-once]: failed to open stream: No such file or directory in /home/.servername/username/example.com/settings.php on line 6

Warning: include_once() [function.include]: Failed opening ‘mnmincludesettings_from_db.php’ for inclusion (include_path=’.:/usr/local/php5/lib/php:/usr/local/lib/php’) in /home/.servername/username/example.com/settings.php on line 6

I’ve removed any personally identifying material in the path for posting here in this forum, but included is the name of DreamHost’s server, then my DreamHost username. Although not an immediate security problem, that’s perhaps too much detail to be giving away.

Over at the Pligg site they say to change permissions on the file, but this makes no difference with Dreamhost because (I think) of the way it’s setup. Even with permissions of -rw------- (as it has right now), the file can still be viewed.

So can anybody help? Is there a .htaccess trick to be done here? I’ve tried disabling PHP errors but it makes no difference, leading me to wonder if this is actually a PHP error.


#2

OK I thought this might be a challenge I could conquer but I tried CHMods and DH’s permission set up and it always generates the same result.

So I wanted to see how other Pligg sites displayed the settings file, and found almost the exact same thing on the pligg.com domain and any Pligg site I have a link handy to. Even on the live Pligg demo, you can see the folders below public_html in the settings output.

I guess I’m left wondering if its really a problem? Its not the most secure thing I’ve ever seen, but it still isn’t enough info on its own to provide unauthorized access - I think.

~
my obligatory dreamhost coupon