Pligg and insecure settings.php
Posted by: rspx0
Posted on: 2008-07-20 07:02:00
Hi -- I've installed Pligg using an advanced one-click install and it's working like a dream.
I've been attempting to secure things. One issue is worrying me -- settings.php is viewable by the world. Just type example.com/settings.php and you get the following in your browser window:
Warning: include_once(mnmincludesettings_from_db.php) [function.include-once]: failed to open stream: No such file or directory in /home/.servername/username/example.com/settings.php on line 6
Warning: include_once() [function.include]: Failed opening 'mnmincludesettings_from_db.php' for inclusion (include_path='.:/usr/local/php5/lib/php:/usr/local/lib/php') in /home/.servername/username/example.com/settings.php on line 6
I've removed any personally identifying material in the path for posting here in this forum, but included is the name of DreamHost's server, then my DreamHost username. Although not an immediate security problem, that's perhaps too much detail to be giving away.
Over at the Pligg site they say to change permissions on the file, but this makes no difference with Dreamhost because (I think) of the way it's setup. Even with permissions of -rw------- (as it has right now), the file can still be viewed.
So can anybody help? Is there a .htaccess trick to be done here? I've tried disabling PHP errors but it makes no difference, leading me to wonder if this is actually a PHP error.
Edited by rspx0 on 07/20/08 07:05 AM (server time).