Warning: I am able to write to the configuration file:

[Staff: Warren Ashcroft]

Well with Windows its two seperate layers of security where as with Linux its just one.

The main layer is the NTFS permissions which tell Windows what users/processes on the server itself can access a file/folder; but the public layer "outside world" is simply controlled by IIS (the webserver) in seperate configuration.

This is why its safe and much easier for users with Windows web hosts permissions wise - IIS simply has the "read" permission, where as the NTFS permissions allow Full Control for your scripts to run; resulting in never needing to worry about or change permissions of any kind.

[Pensive]

Further to this thread, I wonder if anyone can help me.

There are numerous config files in oscommerce which contain the database username and password.

I tested the security by setting up an html link to the config file and then right clicking and downloading the file.

It lets me do it - from there I can copy and paste the username and password of the SQL database.

I believe this is why you need to use linux permissions, so only the server can access this file - it must be readable on the server side, but the read permissions should be closed to outside parties.

1) Am i right? I'm certainly no expert
2) If so - how can i fix it?
3) is this just a weakness of oscommerce on windows servers?

[Staff: Warren Ashcroft]

Thats not possible when PHP is running on your website, since its a .PHP file, PHP processes it and therefore will not display the PHP code (password variables).

[RFH Reseller: nick]

another trick is to use .ini files, as IIS will just give a 404 error if you try and access them over http.
Even better is to keep everything you can outside of the web root directory - I'm surprised more opensource softwares don't give this option.

[Pensive]

Rumbled!!!!

I thought I had tried it but I obviously hadn't - I just tried it again and all I got was the HTML file - so there no security issue to speak of.

Just password protect your admin folder and you'll be fine.

r4gards

Jon

(try things before you say you have tried them )