PHP shell commands
This is a discussion on PHP shell commands within the PHP General forums, part of the PHP Programming Forums category; Hello, Some php applications store database passwords into files which can be read by the user www-data. So, a ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
01-11-2008
|
|||
|
|||
PHP shell commands
Hello,
Some php applications store database passwords into files which can be read by the user www-data. So, a malicious user which can write php scripts could read those passwords. What should I do to prevent users from viewing those passwords? regards 
|
|
01-11-2008
|
|||
|
|||
|
Re: [PHP] PHP shell commands
Lucas Prado Melo wrote:
> Hello, > Some php applications store database passwords into files which can be > read by the user www-data. > So, a malicious user which can write php scripts could read those passwords. > What should I do to prevent users from viewing those passwords? Not too much really. The webserver needs to be able to read a config file. You could obfuscate the fields/entries or encrypt them somehow, but it needs to be a two-way encryption (ie you're going to need to undo the encryption to be able to use the password). -- Postgresql & php tutorials http://www.designmagick.com/
|
|
01-11-2008
|
|||
|
|||
|
Re: [PHP] PHP shell commands
Suppose we were using apache webserver.
I think obfuscation won't work since with some work a user could read the password. How to encrypt/decrypt the password? On Jan 11, 2008 3:37 AM, Chris <dmagick@gmail.com> wrote: > Not too much really. > > The webserver needs to be able to read a config file. > > You could obfuscate the fields/entries or encrypt them somehow, but it > needs to be a two-way encryption (ie you're going to need to undo the > encryption to be able to use the password). >
|
|
01-11-2008
|
|||
|
|||
|
Re: [PHP] PHP shell commands
> Some php applications store database passwords into files which can be
> read by the user www-data. > So, a malicious user which can write php scripts could read those passwords. > What should I do to prevent users from viewing those passwords? You could encode your file(s) using something like the Zend Encoder. This turns them into byte code IIRC, so it's hard (not totally impossible I think) to get the clear text. -- Richard Heyes http://www.websupportsolutions.co.uk Knowledge Base and HelpDesk software that can cut the cost of online support ** NOW OFFERING FREE ACCOUNTS TO CHARITIES AND NON-PROFITS **
|
|
01-11-2008
|
|||
|
|||
|
Re: [PHP] PHP shell commands
Lucas Prado Melo wrote:
> Hello, > Some php applications store database passwords into files which can be > read by the user www-data. Why not keep them out of the web tree and inform the application regarding the same. I am sure almost all good applications would provide a simple way for doing it. > So, a malicious user which can write php scripts could read those passwords. > What should I do to prevent users from viewing those passwords? I am not sure I understand this. Do you mean the attacker would upload scripts and execute them to read th config files? If yes then that's a different problem altogether. > > regards > Regards, Bipin Upadhyay. http://projectbee.org
|
|
01-11-2008
|
|||
|
|||
|
Re: [PHP] PHP shell commands
On Jan 11, 2008 9:33 AM, Bipin Upadhyay <muxical.geek@gmail.com> wrote:
> Lucas Prado Melo wrote: > > Hello, > > Some php applications store database passwords into files which can be > > read by the user www-data. > Why not keep them out of the web tree and inform the application > regarding the same. I am sure almost all good applications would provide > a simple way for doing it. > > So, a malicious user which can write php scripts could read those passwords. > > What should I do to prevent users from viewing those passwords? > I am not sure I understand this. Do you mean the attacker would upload > scripts and execute them to read th config files? If yes then that's a > different problem altogether. Yes, I mean so.
|
|
01-11-2008
|
|||
|
|||
|
Re: PHP shell commands
chmod the data file to not be accessible to the 'world' 700
-- If at first you dont succeed try try try again If at first you do succeed try not to look surprised _ ""Lucas Prado Melo"" <lucaspm@dcc.ufba.br> wrote in message news:9f4be2240801101915k7d07b1c9kf028da97850187c0@ mail.gmail.com... > Hello, > Some php applications store database passwords into files which can be > read by the user www-data. > So, a malicious user which can write php scripts could read those passwords. > What should I do to prevent users from viewing those passwords? > > regards
|
|
01-11-2008
|
|||
|
|||
|
Re: [PHP] PHP shell commands
On Jan 11, 2008 6:58 AM, Lucas Prado Melo <lucaspm@dcc.ufba.br> wrote:
> On Jan 11, 2008 9:33 AM, Bipin Upadhyay <muxical.geek@gmail.com> wrote: > > Lucas Prado Melo wrote: > > > Hello, > > > Some php applications store database passwords into files which can be > > > read by the user www-data. > > Why not keep them out of the web tree and inform the application > > regarding the same. I am sure almost all good applications would provide > > a simple way for doing it. > > > So, a malicious user which can write php scripts could read those passwords. > > > What should I do to prevent users from viewing those passwords? > > I am not sure I understand this. Do you mean the attacker would upload > > scripts and execute them to read th config files? If yes then that's a > > different problem altogether. > Yes, I mean so. Make sure you change the permissions on the directory in which uploads are saved to be non-readable by anyone (including yourself, in case the scripts are suexec'd). For example, if the directory in which you save uploaded files is uploads/ then just do this (on a *nix box): chmod 300 uploads That way, files can still be saved to the directory (which requires write and execute privileges), but the files cannot be read or executed via the web, and directory listing is implicitly denied for all protocols (and local access) to anyone except root. To best-protect your configuration scripts, though, always place them outside of the web-accessible directories (for example, /home/user/config/) and include them properly. Also, make sure they are read-only (chmod 400, or chmod 444 if not using suexec). Beyond that, code obfuscation using Zend Optimizer (as was suggested) or an alternative would be your best bet. Just keep in mind that anything that can be accessed by any means is never going to be 100% secure. -- </Dan> Daniel P. Brown Senior Unix Geek and #1 Rated "Year's Coolest Guy" By Self Since Nineteen-Seventy-[mumble].
|
|
01-11-2008
|
|||
|
|||
|
Re: [PHP] PHP shell commands
Daniel Brown wrote:
[SNIPPED] >Just keep in > mind that anything that can be accessed by any means is never going to > be 100% secure. > I like the the line :) --Bipin Upadhyay, http://projectbee.org
|
|
01-11-2008
|
|||
|
|||
|
Re: [PHP] PHP shell commands
On Jan 11, 2008 2:16 PM, Daniel Brown <parasane@gmail.com> wrote:
> Make sure you change the permissions on the directory in which > uploads are saved to be non-readable by anyone (including yourself, in > case the scripts are suexec'd). > > For example, if the directory in which you save uploaded files is > uploads/ then just do this (on a *nix box): > chmod 300 uploads > > That way, files can still be saved to the directory (which > requires write and execute privileges), but the files cannot be read > or executed via the web, and directory listing is implicitly denied > for all protocols (and local access) to anyone except root. The uploaded scripts must be executed via the web because it's a host... Maybe we could prevent scripts from certain folders to see other folders... (chroot?) Do you know how to do it in apache?
|
 |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT +1. The time now is 05:03 PM.
