Potential Security Risk - Installing Joomla from Virtualmin

It is great that VMpro has the nifty feature to install various quality open-source scripts with a click of a button.

However, there is a potential security risk that perhaps people should be aware of:

The domain owner’s username and password are used as Joomla’s mysql login in the automated installation process. More importantly, the username and password are included in configuration.php and they are not encrypted.

Because configuration.php is chmod’ed to world-unreadable, it is OK (i.e. people can’t see what’s inside the php file using a browser). However, in order to change the configuration of Joomla, one has to set configuration.php to 777 first. During that time, anyone could see your username and password. Since it is the same username and password as the domain owner’s, the repurcussion is even greater. Worse if you forget to chmod configuration.php back to 644.

I guess there isn’t much you can do except to always ensure that your configuration.php is set to 644 when you are not changing the configurations. As an added step, maybe consider hiding your mysql username and password as suggested here: http://webhelp.ucs.ed.ac.uk/services/mysql/hide-pass.php

Another way to mitigate risk: Move configuration.php outside public_html directory

Refer to

777 and 644 are both world readable, so that does not change anything.

The only difference between 777 and 644 are that the group and anyone cannot "write" or "execute" in 644.

If you do a wget on http://www.website.com/joomla/configuration.php, or where ever you have installed this file, you will only get a zero length file downloaded. You dont get the contents of variables when pulling a php file with a webbrowser.

So, a web based user cannot see the contents of configuration.php regardless. of whether it is a 777 or 644.

John P.

One possible thought…

If you’re copy of apache is not handling php extensions correctlly, you would then see the contents of the file.

But, if that’s the case, the fix is to correct the overall php issue.

you should not need to modify the permissions of configuration.php for joomla! when using PHP in the Virtualmin preferred state of via fcgid. Virtualmin, by default IIRC, sets up PHP to run via fcgid and suexec so joomla! will automatically be able to read and write your configuration.php, even if you set the permissions to 700. This is due to the fact that suexec spawns the php-cgi program as the owner of the virtual server, so one should never need to set configuration scripts to be world readable.