phpBB Academy at StarTrekGuide

[Derky]

I've hard disabled the template editor and database back-up/restore functionality in phpBB.

To disable the template editor (where admin (founders) can place PHP code in), add this line to your config.php

Code: Select all

@define('PHPBB_DISABLE_ACP_EDITOR', true); 

I never use the phpBB back-up/restore function, so to disable it I've just added a trigger_error into ./includes/acp/acp_database.php
I could also remove the module and delete the file but then (the file) might be added again by a phpBB update.

Code: Select all

trigger_error($user->lang['DISABLED'], E_USER_WARNING); 

So if someone manage to login as a founder, he can't insert php code or get a database dump.

[3Di Marco]

I filed a bug report about the database backups stored into the 'store' folder, there was not an .htaccess file there just a index.html.

Developers said it should be handled by permissions though, they fixed it putting an .htaccess file there, as per the 3.0.5 incoming version.

I do think that's not enough though, when you download a backup file via ACP it is passed through HTTP afaik. I could probably be wrong, don't know.

[Derky]

There is already an .htaccess in the store folder in 3.0.4, take a look yourself: http://www.ohloh.net/p/phpbb/download?f ... -3.0.4.zip

[3Di Marco]

There is already an .htaccess in the store folder in 3.0.4, take a look yourself: http://www.ohloh.net/p/phpbb/download?f ... -3.0.4.zip

Your ticket's status is "Patch written"

A fix for the issue that you reported has been committed to the source code repository and will be part of the next release. Please verify that the patch has completely addressed the issue. Thank you.

EDIT: it was the fact just the .htaccess file was there but windows servers don't use/allow those files. Sorry.

[Derky]

Ah yes.. then you're right indeed.