Security?

Hi all

I've made several scripts that are pulled in my pages with include.  They are all stored in a directory that is unreferenced in the output.  


Is there any way somebody can discover their name and/or location and pull them from my server to obtain db passwords?


If the answer is YES!  OFF COURSE!


                 then please tell me what I should do to secure them.
LVL 2
x_terminat_or_3Asked:
Who is Participating?
 
sigmaconConnect With a Mentor Commented:
Since you're talking wwwroot, I am assuming IIS. and since I don't have IIS 6, I am assuming IIS 5 .../-)

As long as the PHP extension is mapped properly to the ISAPI filter, nobody is going to be able to see the source, unless you allow 'Script source access' in the site's properties, which is OFF by default. Here is the paranoia mode just for you: Open you IIS management console, click on the website that has the app of concern, go to a directory that has the includes in it, right click on it > Properties > Tab Directory > Uncheck all that is checked under local path and set execute permissions to none. Make sure the includes still work though, when included from other pages ...

Of course all you includes end in .php, right?
0
 
RoonaanConnect With a Mentor Commented:
You should add .htaccess file to the directories which should not be entered.

The best would be to have your includes offcourse at a directory outsite the wwwroot, but most of the time this isn't available.

On the other hand. If you're files are marked as having .php extension, no one - except for those with ftp or system access - will have direct access to your db/pwd unless your config.php states something like "echo DB_PWD".

.htaccesss requires you to have Apache as webserver.

Regards

-r-
0
 
x_terminat_or_3Author Commented:
Roonaan, I don't have unix


I could place them outside the wwwroot, but how do I include them then


if for instance

wwwroot\thesite\page.php

wants to include a file from c:\myprivatescripts\script1.script

?

I don't have anything like echo db_pwd, I'm new to php, but I'm not crazy ;-)


What if
a/user makes a lucky guess and 'guesses' that there is a script named scripts.phscript in the directory templates and types it in the addressbar
b/the php plugin is offline (due to whatever reason)

?
0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 
ZylochCommented:
x_terminat_or_3,

Your passwords are safe. What Roonaan means is if you give your file the extensions .php, even if let's say your passwords are stored in passwords.php, even if the user makes, say:

<a href="http://www.yoursite.com/passwords.php">Get File</a> and right clicks and selects Save Target As, you will still only get the resulting HTML from the PHP, and if you don't have echo(), there will be no resulting HTML.
0
 
x_terminat_or_3Author Commented:
but still, if a virus deletes the php.ini file, php wil not parse the php files.  and output will be the orignal script right?
0
 
RoonaanCommented:
Not necesarily. It could also be that apache handles something when php doesn't get loaded correctly. I think it shows an internal server error messages.

But to make sure, you could always add that  htaccess.

::Offtopic::
Good to see you around ZyLoch :-)
0
 
ZylochConnect With a Mentor Commented:
Ah, so you're worried about that, I see. Well, in that case, you would just have to secure your server. I mean, for all you know, if that virus can delete your php.ini file, then what's to say it can't just open up your password file by itself and read it? If something gets that close to home, there's nothing you can do. You can keep it more safe with .htaccess like Roonaan suggested (you don't need Unix to get Apache, and in fact, Apache 2, although not recommended with php 3rd party libraries, is built for Windows). However, I repeat, what's to say that if someone gets a virus in your computer and can delete your php.ini file, it might as well disable your whole server too, or better yet, be a trojan and steal your passwords.

So basically, if anyone gets a virus into your server, you're screwed and there's nothing you can do no matter how many security measures you take, that will keep that virus from getting your passwords if the virus maker is clever enough, since a virus would have to be on your server to delete your php.ini file and you would probably have to run it (or someone else does on your server, which makes this irrelevant because they would then have your password anyways).

In conclusion, basically, that's why firewalls exist. But if your SERVER is well protected, so is your passwords.
0
 
ZylochCommented:
::Offtopic Reply::
Thanks, school's been a -ahem lol.
0
 
x_terminat_or_3Author Commented:
Thanks all for your info.


There is, however one open issue in this question:


if for instance

wwwroot\thesite\page.php

wants to include a file from c:\myprivatescripts\script1.script

how do I reference it in the the page

do I say

<?php include 'c:\myprivatescripts\script1.script' ?>   ?
0
 
ZylochCommented:
No. You can't do that. You have to upload script1.script to the server.
0
 
x_terminat_or_3Author Commented:
QUOTE from Roonaan's comment:

>>>>The best would be to have your includes offcourse at a directory outsite the wwwroot, but most of the time this isn't available<<<<
0
 
RoonaanCommented:
If wwwroot and myprivate are on the same server (which I suppose, because of your security questions), you'd better use
<?php include 'c:/myprivatescripts/script1.script' ?>   ?

But a well installed php server would not allow this in safe mode, therefor you have to add this directory to the list of openbasedir directories. how this is done, I am not sure.

-r-
0
 
ZylochCommented:
Well, in order to do that, you would have to create a whole new virtual directory. I have no idea how to do it since I don't work with IIS, but check this here: http://www.winnetmag.com/Web/Article/ArticleID/15605/Web_15605.html
0
 
x_terminat_or_3Author Commented:
FYI I'm running my own server.
0
 
x_terminat_or_3Author Commented:
But if I create a whole new virtual directory, it isn't private anymore is it?
0
 
RoonaanCommented:
http://nl3.php.net/features.safe-mode says something about an open_basedir setting in php.ini which can be used to set somekind of offline library tree.
0
 
ZylochCommented:
Well, that's the only way I know that you can access it. Of course, you could try one more thing:

<?php
$fp=fopen("c:/myprivatescripts/script1.script");
$contents=fread($fp,sizeof($fp));
echo($contents);
?>

Or try:

<?php
readfile("c:/myprivatescripts/script1.script");
?>

Of course, you could also try changing the direction of the slashes, or maybe even file://c:/etc. but that's more for client side.
Tons of things to try :-)

Btw, the fopen thing is sort of what Roonaan was hinting at earlier. Most likely, your C and wwwroot aren't on the "same domain"

0
 
x_terminat_or_3Author Commented:
Rooonaaan

If I understand correctly

Security and Safe Mode
Table 41-1. Security and Safe Mode Configuration Directives

safe_mode_include_dir NULL PHP_INI_SYSTEM

I can set to c:\myprivatedir\script1.script

?


Zyloch, what exactly do you mean by C and wwwroot being on the same domain?
0
 
ZylochCommented:
Not quite sure what I'm talking about either, but check out what Roonaan has to say. Did you try the fopens?
0
 
x_terminat_or_3Author Commented:
They yare now.

Now when I type in the address of the script in the address bar, I get the http 403 !!!  Just like I want it.

0
All Courses

From novice to tech pro — start learning today.