This is a common recommendation made by most web applications: place the administrative files outside of the web directory for a little bit of security. That way if someone compromises your web server user's account (apache or nobody or something like that), then they won't have immediate access to these types of sensitive files, because they are not located in a directory that your web server user 'owns'.

You don't mention which server software you are using, so I'm going to do an example for Windows and one for Unix.

Windows

Say you have a directory structure like this:

C:\inetpub

where your server software is installed. In that directory, you might have

C:\inetpub\html

as the 'home' directory of your web pages. During PHPNuke installation, you might end up with

C:\inetpub\phpnuke

as its 'home' directory.

The problem is that the admin.php file is now in the

C:\inetpub\phpnuke

directory, where it is at risk. It needs to be somewhere else ...

Move admin.php from

C:\inetpub\phpnuke

to

C:\inetpub

, and use the recommended code that you posted.

That code says "../" = "move up one directory" from

C:\inetpub\phpnuke

to

C:\inetpub

, "and look for admin.php there". Fortunately, that's where you put it, so PHPNuke can find and use it without the immediate threat formed by having the admin page in the same directory as the program files.

Unix

Same concept, different-looking directory structures:

/var/www

= web directory

/var/www/phpnuke

= nuke directory

/var/www

= new location of admin.php

Ideally you would place these types of files even further out of the web structure. For example:

/var/www

= web directory

/var/www/phpnuke

= nuke directory

/var/private

= semi-secure directory

and the code you would use adds an extra instruction:

../../private/admin.php

("Move up two directories ... then from there go into 'private' and look for admin.php")

("Move up out of /var/www/phpnuke into /var/www and then up into /var and then forward into /var/private and find /var/private/admin.php in there")

So: Move the admin page out of the Nuke directory and then adjust your code to tell the application where to find it.

Hello :)
Thanx for the reply, and thoroughly description.

But, the new file i have to make:
Is the code i mentioned the ONLY code i have to write in the "fake" admin.php file? Or do i have to type some standard php-code before or/and after this code also?

Appreicate any reply.

Best regards:

Gjermund

The 'fake' config.php's purpose is to tell PHPNuke where the real config.php file is.

Basically, Nuke looks for the original config.php file in its usual place, and finds the 'fake' config.php file instead. So it opens the 'fake' and reads:

<?php include("../config.php");?>

which tells Nuke to "go up one directory in the structure and you'll find the real config.php file in that directory".

So depending on the directories Nuke needs to traverse to find the real file, your 'fake' config.php file will look nearly exactly like the above when you're done.

Hello again :)
Ok, so there are no standard code in all php-files i also have to include in the fake admin.php file?

For example in all html-files one have to have
these tags:
<html><head><title><body> etc...whatever you else plan to write in them.