Can someone tell me where I can find a guide to hardening a manual phplist install?
Specifically, I’m very concerned about the fact that the documentation page corresponding to this discussion thread (Installing phpList manually) tells us to use a config file (which contains the db password) that is located inside the document root. Unlike many similar web-based projects, phplist actually ships the tarball with a root directory and a ;public_html’ directory inside of that. Why then is the config file not located in the root directory so it’s located outside the document root?
Indeed, moving the config file outside the docroot is a very common hardening step. For example, see these links for doing so with mediawiki & wordpress:
As pointed out in the above links, config files containing passwords are moved out of the document root because:
If there is some issue with the php engine of the web server, the content may be sent to the user in plaintext, clearly sending out the contents of the config file in plaintext. This becomes a non-issue if the config file is already located outside the docroot.
Many editors save backups of the config file, such as ‘config.php~’ or ‘.config.php’ It is very common for these files to linger if–for example–an ssh session terminated while editing the file. The result: the webserver may serve this backup of the config file in plaintext to the client. This becomes a non-issue if the config file is located outside the docroot, as the corresponding backup files will also exist outside the docroot.
Is there some guide published by phplist.org on how to harden a phplist install? If not, can one be created? Or, at least, can we update this page with instructions to move the config.php file outside the document root?
Senior System Administrator
PGP Fingerprint: 8A4B 0AF8 162F 3B6A 79B7 70D2 AA3E DF71 60E2 D97B
Open Source Ecology