[Guide] Security fix for FragFrog package

DarkMaster

Administrator
Staff member
Joined
Apr 8, 2008
Messages
2,463
Reaction score
11,146
IMPORTANT SECURITY FIX FROGMU WEBPACKAGE

I recently discovered that a default Appserv installation DOES NOT protect your config.htpasswd file. This means that any smart hacker can get your username and password! I tested it myself and easily got the SQL server login username and password for someone's private server!

HOW TO FIX
quite easy, luckily. Open your Appserv configuration files. You can do this by either going to your start menu -> Programs -> Appserv -> Apache Configure Server -> Edit the httpd.conf Configuration file. Another way of opening it is going to your webserver folder (probably in c:\program files\appserv\), apache -> conf -> httpd.conf

You can open this file using a text-editor as notepad

Now, find the line that says

# Also, folks tend to use nameas such as .htpasswd for their password
# files, so this will protect those as well.
#
This should be around line 407.

Below these lines you will find something like '<files ~"^/.ht"> stuff here </files>

REPLACE THAT WITH
<Files *.ht*>
Deny From All
</Files>
Now, save the file and restart apache (using the Apache service monitor, or trough your start menu -> programs -> appserv -> Apache Control Server -> Restart)

Applies To:
FrogMu Webpackage 2.0 beta

Credits: FragFrog
 
  • Like
Reactions: -UnknowN-

RhysFox

New Member
Joined
Jun 30, 2008
Messages
918
Reaction score
299
Good work... Again by you :wasntme:. Very usefull :chuckle:.
 

Mephisto

New Member
Joined
Apr 10, 2008
Messages
451
Reaction score
240
Nice job.. cause this i use array() for config.php