SMF and security

[tdhoa_vn]

HI all,

I would like to query for the SMF security concerns. After istallation, all the information will be recorded in the files "Settings' and "Setting_bak". user name, data base's name and password also recorded in these file. Those file again located in the main host.

This could be a way for hacker to download the file and controls everything. can we manage it?

[Dannii]

If someone had access to the server to read those files, they could do basically anything whether the files were there or not. But unless the server is configured very badly there should be no way to download the contents of those files.

[karlbenson]

Indeed.
Any php software that requires access to your mysql database will store the information in a file.
The only people who can read/view the file is anyone who has access to the ftp. (unless like Dannii says, a piss poor server configuration)

SMF takes security very seriously and gets a fraction of the security vulnerabilities with other forum software.

However if someone manages to compromise your hosting account, then not even Superman could you.

[Ðyєgσv]

I wouldn't worry at all for security with SMF. It's the first concern of Developers, and they always do their job with security at a high top level of importance

[karlbenson]

Security is a primary concern.
When running any sort of 3rd party script you need to have trust in the developers.

And as they say, trust is easy to lose, almost impossible to win back.
I've been burnt a few times over the years with of the security inadequacies of some other popular unnamed forum software.

[metallica48423]

Settings.php doesn't actually output anything -- have you tried accessing it via web browser?