News - Features - Downloads - Forum - Team - Support - Switch View: Screen
Login - Registrierung - Passwort vergessen

Antworten: 4
Seite [1]
Caps


Rock the board





Beiträge: 59
# Thema - 19.06.2011 um 17:51 Uhr
I would hope that the next generation of CS will focus on security. Here is an article in today's new about security for a game site.

Need with moving the config file out of the root and of course some other things.

Article: http://www.bbc.co.uk/news/technology-13829690

"It comes after the computer games firm said on Friday that e-mail addresses and dates of birth stored on the Sega Pass database were accessed by hackers."


Zuletzt editiert von Caps am 19.06.2011 um 19:11 Uhr (2x Editiert)
Inaktiv
Jam2 ClanSphere Team


Highlander





Beiträge: 3291
# Antwort: 1 - 19.06.2011 um 18:17 Uhr
if the cracker got some ftp logins isn't it equal where you host the config file?


------------------
Gruß/ Best regards
Jam2

Nützliche Forumbeiträge/Codepastes: (Useful comments in our board / codepastes)
Template Switch for index.php
Board Navlist last posts

Edi: könnte man denn auch hier eine erweiterung einfügen?
Jam2: das web ist wie toyota.....
Edi: hö ?
Jam2: nichts ist unmöglich!


Inaktiv
|
Mindcrime


Geekboy





Beiträge: 1155
# Antwort: 2 - 19.06.2011 um 18:21 Uhr
Moving the config file out of the document root will provide other problems with hosting providers who have all kinds of safe_mode and open_dir stuff set that disallow accessing files outside the document root... Security and usability will always have some conflicting areas...


Inaktiv
|
Caps
Thread-Ersteller


Rock the board





Beiträge: 59
# Antwort: 3 - 19.06.2011 um 18:36 Uhr
As I stated in another post, the installer would create a folder for the config file for both users who do and do not have root access. CS installer would create a folder both below and above the root. If the user does not have root access, then the folder outside the root will not be created.

The include path will reference both folders, the one below the root (for those who do not have root access) and the one above the root. When the script initiates, it first looks in the default folder (below the root) then looks in the folder above the root.

"if the cracker got some ftp logins isn't it equal where you host the config file? "

If a hacker got FTP access to the operating system, yes, bad news.

To assist in better security. the installer would encrypt that folder or provide a long secure folder name, giving that option upon installing.



Zuletzt editiert von Caps am 19.06.2011 um 19:02 Uhr (6x Editiert)
Inaktiv
|
hajo ClanSphere Team


VIP - Poster




Herkunft: Barsbüttel
Beiträge: 9411
# Antwort: 4 - 19.06.2011 um 19:58 Uhr
the configuration may get cached until a check for changes is successful, so what about that and maybe other issues? i would say its hard to protect configuration data within in programming language or webspace environment, there are many things to look at, not just the directory its safed in and if / how it's encrypted.

at least you are right with that and clansphere does care about the basics (db user and pw are nulled after the db connection is made for example). coresphere will consider more possibilities to secure configuration data.


------------------
ClanSphere - professional clan care starts here

Inaktiv
|
Antworten: 4
Seite [1]


Sie müssen sich registrieren, um zu antworten.


ClanSphere Project - Mailus - Imprint - Disclaimer - Scriptinfo