XF 2.1 Can someone access to config.php file ?

ShinLim

Active member
I think this is a noob question but I still wonder why and is it possible for someone just type in browser and view src/config.php file ?
I tried to access to view it on browser but it went blank, why's that ? I still don't know why, is that because security of system (if so, from what) ?
Can someone please help me answer this ?
Thank you
 
I hope I understood your request correctly, even though it seems like a basic thing and it's strange that you don't have an understanding of the purpose of that file. The XenForo config file acts as a safe for some sensitive data that connects the software with the database. In fact, the config.php file contains the database passwords of your website. Therefore, when accessing the config.php file through a browser, it is interpreted as a webpage and executes its PHP code. If the file only contains PHP code without any HTML code, the browser displays a blank page, which is the correct behavior. If you, as the owner, would like to see the contents of config.php, you should use the file manager of your hosting control panel or download it through an FTP program and view it with an editor such as Notepad++.
 
I hope I understood your request correctly, even though it seems like a basic thing and it's strange that you don't have an understanding of the purpose of that file.
I took the question to be a concern about the security of that file not about how to view your own config.php, ie how possible it would be for someone else to see the contents.

So I think it is a valid question.
 
It COULD be viewed if you end up turning off php, or the handler for the extension. then, the web server would just send it as text/plain and thus, viewable as source. Don't mis-configure and there's no concern.

There are ways to protect it further. do some searching on protecting the config file here with htpasswd and so forth if you wish.
 
I took the question to be a concern about the security of that file not about how to view your own config.php, ie how possible it would be for someone else to see the contents.

So I think it is a valid question.
Yes that's what I mean for the question
When opening php file it gets blank page because of php mechanism (when installing php : yum install php or apt install php), if a site didn't install php then when directly open it it will download the file because the Content-type was application/octet-stream If I understand correctly, everything in "<?php" will be executed by php processor and not display publicly
I'm just curious if someone can view the file somehow ? (except that the server was hacked)

I know it's strange and stupid question but I didn't even notice it for a long time til now
 
Last edited:
No, someone can’t view the file unless your server was misconfigured. You could block direct access to it with your web server if you are worried (same as you can block access to any other URL with your web server).
 
Back
Top Bottom