|
|
Discussion on Security
- General
Posted by Blake (Sunday June 25 2000 @ 12:21PM EDT) views: 428 |
First off, let me start by saying that the first person who comes up with an internet version of an encyclopedia, (not just another crappy search engine, but a nicely organized comprehensive resource on topics) will be rich.
That out of the way, I've been coming across bits and pieces in different places regarding the mysql connect funciton in php, the password, storing it in a file and so forth as regards to security. Here is my concern. I've found one snippet that says you shouldn't store your mysql password in any file that has a .php* extension. I've found another snippet that doesn't really address this, but it uses common.inc instead of common.inc.php.
Phpweblog uses common.inc.php. Is there a security concern here?
I've tried looking up more info on this but haven't found much. I have however found some interesting security info in general that I'd like to share to make sure that it gets covered in phpweblog, which I think is an excellent program so far.
http://hispahack.ccc.de/en/mi020.htm is an article about php and mysql weaknesses in Phorum.
Thanks
|
|
|
|
By jason (Sunday June 25 2000 @ 12:57PM EDT)
|
I'd like to know more about why having passwords stored in files with .php extensions are potentially vulnerable. Orginally, phpweblog's config file was named common.inc. The reason why this was renamed was because Apache will serve a .inc file as text/plain, blantantly exposing any precious data contained in this file. Renaming it to .php seems to be the safest way to keep this data private, as Apache will parse this file instead of display its contents. The only concern I believe at this point would be that local user on the server may be able to read this file if the permissions allow.
|
|
[ reply | parent ]
|
|
By deekayen (Sunday June 25 2000 @ 01:37PM EDT)
|
My thinking has been the same as Jason's too. It seems to me that the password is going to have to be stored in some sort of file, so the best would be something that doesn't have any output when someone tries to load it through apache.
|
|
[ reply | parent ]
|
|
By blade (Sunday June 25 2000 @ 01:45PM EDT)
|
I've had an eye on it, too. But never had the time to write anything about.
Wouldn't it help to create another file with the mysql connection infos in it and put that one to a safer place.
In the common.inc.php file is just the location of that mysql-connection file.
A safer place would be for example the cgi-bin directory.
I saw that configuration style for example in the nope configuration.
Can anyone agree with me ?
|
|
[ reply | parent ]
|
|
By heath (Sunday June 25 2000 @ 09:04PM EDT)
|
Huh?
Why can't you just put all include files above the web document tree - including config vars, db passwords, etc.
This makes it impossible for anyone to gain access to them via the browser.
Maybe I am missing something here?
|
|
[ reply | parent ]
|
|
By Anonymous (Monday June 26 2000 @ 02:57AM EDT)
|
heath - and what would those who are virtually hosted do?
|
|
[ reply | parent ]
|
|
By Blake (Monday June 26 2000 @ 08:41PM EDT)
|
I haven't been able to find out why having them in a .php* is bad, but I did read somewhere that you should change the phpscripts containing passwords so that they are not world/group readable.
So, is it possible to defeat apache serving up common.inc as text by changing it's permissions so that it's not world/group readable and thus it wouldn't serve it to a browser?
Pardon my ignorance on some of this.
|
|
[ reply | parent ]
|
|
By Brett Jones (Tuesday June 27 2000 @ 01:52AM EDT)
|
It would be easy to add .inc to the files parsed by php/apache. If you have a bunch of code that's looking for .inc files and you don't want to "fix" the code.
It seems to me the safest thing to do with sensitive info would be to put it in a file that gets parsed but displays nothing.
If it's a deticated server, you could add this stuff via the prepend options in the php.ini file, Then put the file above the document root.
|
|
[ reply | parent ]
|
|
By Heath (Tuesday June 27 2000 @ 04:39AM EDT)
|
[quote]heath - and what would those who are virtually hosted do?[/quote]
Huh? I've never seen a virtual host that wouldn't let you go at least ONE level above the /www/ tree.
i.e.
Web directory is:
/home/yoursite/www/
Put super-secret data here:
/home/yoursite/nobody_can_see_this_dir_from_their_browser_and_is_therefore_safe_and_unless_I_am_missing_the_point_it_should_solve_the_problem/common.inc
|
|
[ reply | parent ]
|
|
By blade (Tuesday June 27 2000 @ 08:59AM EDT)
|
Normally if you're virtual hosted you have a tree in which the http document tree with follow one level down.
So you either can put it in those root dir or nearly more safe in the cgi-bin directory.
The only problem are still those users having a virtual host on the same server. And as a normal user you normally can't change the group to any other group than the group you're a member from. Otherwise I'd change the rights to the group which runs the apache.
|
|
[ reply | parent ]
|
|
|
|
