I don't want to save the file containing the database password in the webroot of apache so I moved it to var/www (the server root) and include it from there.
Is this creating new security issues which weren't there before or can I leave it there?
The security issue that it creates, is that anyone who has access to the server, can get your DB credentials. Also, depending on the file and folder, there is a possibility that the file can be downloaded (really depends on the file and security settings on your web app). The industry standard solution is to encrypt the credentials in that file.
Related
We have an on-prem server which is also in our backup solution.
We were trying to create a new delegated LDAP permission for a different team by using the Add Directory option within User Directories in the Administration. We were able to create the directory but when we deleted it post the testing, the configuration made in the original directory were removed, specifically from the ldap.group.filter
Now we are trying to retrieve the old config file however I dont know the location where it is stored. Is it stored on the server or does it also reside in the DB? Is there a way to restore it without restoring the entire server?
I have created a module in DNN which has a sub-folder that contains several files which are used by the module, but which I do not want accessible by the public. Being new to DNN I had originally thought to simply add a Web.config and set deny users="*" in the authorization section. It looks to me now though that DNN intercepts all the requests and ignores the Web.config as this setting seems to have no effect.
Users can currently access these files simply by guessing a file name and navigating to (http://mysite.com/DesktopModules/mymodule/restricted_files/guessedfile.pdf). How can I prevent this from happening?
DotNetNuke allows you to have different providers for folders in the file system. If you use those providers (instead of interacting with the file system directly), then you can make sure that DNN has control of the permission to the files in the folder.
Built into DNN are three providers, Standard, Secure, and Database. If you create a folder with the Secure or Database provider, then DNN will make sure that you can't get to the file just by guessing the path (either by appending .resources to the filename, which IIS won't serve, or by putting it in the database). You can then assign permissions to the folder (via the File Manager page in the Admin menu) to indicate who can get to those files (the site administrator will always be able to access the files, unless you're using the Host file system).
However, these folder providers only apply to the Portals directory in the site. It's recommended that you'd store content files there, rather than in DesktopModules.
I have a file (or set of files under a directory) published on my web server. Each of this resource needs to be access-protected based on the user's credentials and authority.
The authorization details are stored in a DB, so I need to make a call to the Java code in application server to determine the access.
Everytime the user hits this particular path in the webserver, I need to ensure s/he has access to the requested resource by, ensuring he is logged in and has the necessary priveleges to access this resource.
The webserver is apache - Can you please point me to the settings in apache that allows me to secure resource access using the above logic?
Thanks for the suggestions to correct the Tag and the Question!:
My Web Server is Apache HTTPD
Agree that this is not a Java Question: The only reason why I am bringing the Java perspective, is that I am most likely going to use some Java POJOs to go and check for user authorization for a particular directory that is stored in the DB - That is unless there is a trick in the apache httpd configuration that goes and checks the DB automatically - something similar to the one that is pointed out here...At the end of the it, I need to check if a particular user (authenticated previously by the Single Sign On Server (Sun access manager)) has access to a particular directory (user mapping to directory stored in the DB) and protect the resources under the directory accordingly.
Please let me know if that clarifies.
i am not sure why this is tagged with java - unless your db structure is VERY sepcific, you might able to get it done with apache authz and authn:
http://httpd.apache.org/docs/2.2/mod/mod_authn_dbd.html
or, for an ovierview:
http://httpd.apache.org/docs/2.2/howto/auth.html
I am developing a site for a client who has not decided on their domain name yet. I set up an account on a web server via WHM but have not pointed any domain names to it.
All was going well until I used a plugin (TinyMCE) to try and browse files on the server - it wouldnt work so I had a look at its script files and realised their permissions are set to not executable (644). I tired to change it to executable (755) but I get an error in my FTP clients console:
550 Could not change perms on file.js: Operation not permitted
Could this be because I am accessing the server not through a specific FTP account and so the server has locked down the files?
EG: I am using the servers IP address to access files with my FTP rather then something like:
ftp.mysite.com
Any advice on this would be great! Thanks
Yes, There is an issues with the FTP account permission. You will have to login your server with the main cPanel account user name and password OR you can chnage your file permission through cPanel >> File manager
Gudeve,
Can you recommend me a directory in my web server where I should put sensitive files?
My htdocs is arranged like this:
XAMPP/htdocs/NewsFeed
The NewsFeed directory have index.php. The index.php file's function is to connect to a database. Now, should I put the database file inside htdocs? Will it be safe?
If you have a chance to keep it outside then I suggest you to keep outside. If it is protected, a vulnerability may be exploited even at a later time causing some intrusions. So please try to keep it "away"
I am guessing you are using a SQLite database. I do not think putting it in htdocs is a safe, unless you safeguard it (maybe with .htaccess / chmod) in such a way that the database cannot be accessed by others/world.
Database and database connection details (login, password etc.) should be kept outside htdocs directory.
For editing purposes only you can obfuscate the password, have a look at this post: Don’t let them see your MySQL password
Don't put a database file anywhere it can be web accessible. One should not be able to download your database over HTTP, and if it's web accessible, anyone will be able to do this.
This ought not be confused with connecting to your database. That's something your script will do.
Place the database in some server directory that is only accessible locally (to the webserver), by your script. ie. XAMPP/db