zp-config.php code in the root directory

GinaW

hi,

I took the code from the zp-config.php file and pasted it into a php file called zp-config-root.php. I placed this file in the root directory so it wasnt accessible from the web.

I then changed the code in the zp-config.php file to be just an include tag pointing to the zp-config-root.php file.

it works fine on the zenphoto index page, however as soon as I click onto an album i get an error saying that the path is invalid, failed to open stream.

I know you can do this easily with Worpress by simply dumping the wp-config.php file anywhere and the system scans for the location of this file, no need for redirects or includes.

Any advice?

acrylian

That file must be within the zp-data folder. It won't be accessible if you set the file/folder permissions correctly (as indicated on setup).

sbillard

Just why do you want to move this file anyway?

GinaW

i was wanting to move that file because of the sensitive sql data it contains, not to mention the latest attack on the new version of zenphoto is attacking that very file.

sbillard

Moving it will not make it safer. Only proper security measures such as only allowing owner access to the zp-core folder will do that.

Anyway, if you are refering to the threads on this forum about that file being compromised, that was most likely caused by the site administrators not removing the setup files, not by someone actually accessing your server and the folder directly. (Unless, of course, you have no folder security. In which case it does not matter where you move it, it will still be vulnerable.)

n20capri2

Old post I know but I've been having problems with the config file getting corrupted as well. Quite often in fact.

Luckily, I simply replace the file with a known good one and all is well - but it's annoying because my clients hate seeing the error. I have to constantly monitor my sites which is time consuming.

What should the permissions be for zp-data folder?? Also what other steps can be taken so this stops happening?

Thanks,
Mike

acrylian

I am sorry for these issues. I fear I cannot really help as I have never encountered this on several sites with several (shared) hosts. Normally the file is not even touched unless you change things.

As Setup suggests the files in zp-data should be 600. The folder itself may be 755. It depends on the server how strict you can set things. All servers I know break things if you set to the strictest. Setup tries to set permissions but sometimes that conflicts with the server so you have to adjust manually.

n20capri2

Hmmm yeah my permissions match these...bummer

n20capri2

Guys this keeps happening to multiple sites (all same host). Sometimes I get the red bar that says corrupt config file - other times I get the zenphoto installation/upgrade page.

If I simply replace the config file and reload the root page it's fine.

I'd ask if you could please help me resolve this issue. I'll do whatever I can to make it happen.

Please let me know what steps to take to get you the info you need to help diagnose and fix this issue.

As mentioned permissions are as above, and install folder is protected.

Please email me directly if you want.
Much appreciated,
Mike

acrylian

Sorry, still no idea what it could be. This is not normal behaviour. Maybe too strict permissons? Try one level less. For example my server breaks on the strictest setting.

n20capri2

Could it be getting hacked? I've looked at the config file when it errors and it's definitely not normal.

What steps can I take to provide you guys info to help diagnose?

acrylian

I primarily use Zenphoto on various standard shared hosts and never encountered this. That doesn't mean you don't have any problem but I sadly really have no idea where to look for what if there are no errors in the server logs.

Try to lower permissions on the folder and files. If that doesn't work, maybe contact your host in case of a server config issue somehow.

n20capri2

There are logs. The main Security log that I keep seeing is this:

Authorization cookie check Failed :deleted

I've even blocked the IP's...but they keep showing up with different IP's.

Any ideas on this?

acrylian

That's a message from the security logger plugin (note: ZP logs != server logs) about a faild cookie check, e.g. if someone tries to access without being logged in. But it does not really explain why the config file might get corrupt as it normally is just read. It could very well be hack attacks.

In any case I would contact your host about this. They should have more insight into what might be going on.