Database password hiding

[Dennis_B]

Hi all,

Im looking for het mod that hides the database password (with *******) for 1.4
I Know its here somewere, but i cant find it can some1 point me to the right url?

Thanks

[Raytheon]

You can download the MOD here: http://yabbse.bjoern-berg.de/Mods/1.5.1/hideDBpw.mod

[Björn]

my mod is for 1.5.1 and doesn't show anything in the password fiedl, because for **** the password stand in the code.

[Michele]

Um, wouldn't it be easier to just replace

Code Select Expand

<td class="windowbg2" bgcolor="' . $color['windowbg2'] . '"><input type="text" name="db_passwd" value="' . $db_passwd . '" /></td>


with this

Code Select Expand

<td class="windowbg2" bgcolor="' . $color['windowbg2'] . '"><input type="password" name="db_passwd" value="' . $db_passwd . '" /></td>


Or am I missing something?
Michele

[Björn]

but if you look in the code of the site you find the password

value="' . $db_passwd . '" />

[Michele]

but if you look in the code of the site you find the password

value="' . $db_passwd . '" />

You mean if they view the source of the page? Yes... that's true, but I guess I don't see the why of this?

If the admin leaves themselves logged in on a computer that isn't secure, someone can do a heck of a lot of damage on the site anyway - they don't need access to the db to do that.  They already have access to template.php, deleting boards, deleting members, and every other admin function available in YSE.

Hiding the db password on that screen is like closing the barn door after the cows have escaped. I guess I still don't get it.

EDIT: Ok, I thought of two possibilities. You're on an insecure computer and someone rummages through the Temp Internet Files and finds that page still in the cache. Which means you have a more serious problem of a stalker following you instead of just a hacker.

Or... someone is running a packet sniffer on their own site, but even then, the db password is sent back and forth a dozen times a minute anyway.

[Jack.R.Abbit]

Those two scenarios are true but there are more...

My situation is that I maintain the account on a server that has more than just the Yabb install.  There are three Admins for the board.  They have no need for my DB info.  Not that I don't trust them... they just don't need it. Any more than they need the ftp info either.  Suppose they know the password, then I revoke their Admin rights.  Could they not remotely access my DB and give themselves Admin rights once again?  Remove my account from the DB?  Grant everyone Admin rights?  A lot of bad things can be done remotely with something like phpMyAdmin.

I'm going to give that mod a try.

-Jack

[Michele]

Those two scenarios are true but there are more...

My situation is that I maintain the account on a server that has more than just the Yabb install.  There are three Admins for the board.  They have no need for my DB info.  Not that I don't trust them... they just don't need it. Any more than they need the ftp info either.  Suppose they know the password, then I revoke their Admin rights.  Could they not remotely access my DB and give themselves Admin rights once again?  Remove my account from the DB?  Grant everyone Admin rights?  A lot of bad things can be done remotely with something like phpMyAdmin.

I'm going to give that mod a try.

-Jack

Good point Jack. Luckily my host restricts db access to localhost only unless I specifically add IPs to that list. So no one can load myPHPAdmin from their own computer to access my db, even if they do know the password.

[Björn]

but if they have ftp access, they can see the password in the Settings.php

[Michele]

but if they have ftp access, they can see the password in the Settings.php

Then perhaps a better solution is to only give them FTP access to their own sub-directories. I'm hosting a friend on his own sub-domain on my site, and when I set up the sub-domain for him, I set up a matching FTP account that ONLY lets him go to his sub-domain, he cannot get to the rest of my site at all.

[Jack.R.Abbit]

I gave that mod a try.  It works alright but you can't edit the password from there.

I wrote one that allows you to enter the current password and a new password if you want to change it.

I made it as a YabbPak that is compatable with 1.4.1/1.5.1 by way of a special mod I have created that is requried for all of my mods.

I only do YabbPaks so check my Package Server for details about this and other mods.

-Jack