Solved

Security?

Posted on 2004-10-22
172 Views
Last Modified: 2008-03-17
Hi all

I've made several scripts that are pulled in my pages with include.  They are all stored in a directory that is unreferenced in the output.  


Is there any way somebody can discover their name and/or location and pull them from my server to obtain db passwords?


If the answer is YES!  OFF COURSE!


                 then please tell me what I should do to secure them.
0
Question by:x_terminat_or_3
    20 Comments
     
    LVL 49

    Assisted Solution

    by:Roonaan
    You should add .htaccess file to the directories which should not be entered.

    The best would be to have your includes offcourse at a directory outsite the wwwroot, but most of the time this isn't available.

    On the other hand. If you're files are marked as having .php extension, no one - except for those with ftp or system access - will have direct access to your db/pwd unless your config.php states something like "echo DB_PWD".

    .htaccesss requires you to have Apache as webserver.

    Regards

    -r-
    0
     
    LVL 2

    Author Comment

    by:x_terminat_or_3
    Roonaan, I don't have unix


    I could place them outside the wwwroot, but how do I include them then


    if for instance

    wwwroot\thesite\page.php

    wants to include a file from c:\myprivatescripts\script1.script

    ?

    I don't have anything like echo db_pwd, I'm new to php, but I'm not crazy ;-)


    What if
    a/user makes a lucky guess and 'guesses' that there is a script named scripts.phscript in the directory templates and types it in the addressbar
    b/the php plugin is offline (due to whatever reason)

    ?
    0
     
    LVL 36

    Expert Comment

    by:Zyloch
    x_terminat_or_3,

    Your passwords are safe. What Roonaan means is if you give your file the extensions .php, even if let's say your passwords are stored in passwords.php, even if the user makes, say:

    <a href="http://www.yoursite.com/passwords.php">Get File</a> and right clicks and selects Save Target As, you will still only get the resulting HTML from the PHP, and if you don't have echo(), there will be no resulting HTML.
    0
     
    LVL 2

    Author Comment

    by:x_terminat_or_3
    but still, if a virus deletes the php.ini file, php wil not parse the php files.  and output will be the orignal script right?
    0
     
    LVL 49

    Expert Comment

    by:Roonaan
    Not necesarily. It could also be that apache handles something when php doesn't get loaded correctly. I think it shows an internal server error messages.

    But to make sure, you could always add that  htaccess.

    ::Offtopic::
    Good to see you around ZyLoch :-)
    0
     
    LVL 36

    Assisted Solution

    by:Zyloch
    Ah, so you're worried about that, I see. Well, in that case, you would just have to secure your server. I mean, for all you know, if that virus can delete your php.ini file, then what's to say it can't just open up your password file by itself and read it? If something gets that close to home, there's nothing you can do. You can keep it more safe with .htaccess like Roonaan suggested (you don't need Unix to get Apache, and in fact, Apache 2, although not recommended with php 3rd party libraries, is built for Windows). However, I repeat, what's to say that if someone gets a virus in your computer and can delete your php.ini file, it might as well disable your whole server too, or better yet, be a trojan and steal your passwords.

    So basically, if anyone gets a virus into your server, you're screwed and there's nothing you can do no matter how many security measures you take, that will keep that virus from getting your passwords if the virus maker is clever enough, since a virus would have to be on your server to delete your php.ini file and you would probably have to run it (or someone else does on your server, which makes this irrelevant because they would then have your password anyways).

    In conclusion, basically, that's why firewalls exist. But if your SERVER is well protected, so is your passwords.
    0
     
    LVL 36

    Expert Comment

    by:Zyloch
    ::Offtopic Reply::
    Thanks, school's been a -ahem lol.
    0
     
    LVL 2

    Author Comment

    by:x_terminat_or_3
    Thanks all for your info.


    There is, however one open issue in this question:


    if for instance

    wwwroot\thesite\page.php

    wants to include a file from c:\myprivatescripts\script1.script

    how do I reference it in the the page

    do I say

    <?php include 'c:\myprivatescripts\script1.script' ?>   ?
    0
     
    LVL 36

    Expert Comment

    by:Zyloch
    No. You can't do that. You have to upload script1.script to the server.
    0
     
    LVL 2

    Author Comment

    by:x_terminat_or_3
    QUOTE from Roonaan's comment:

    >>>>The best would be to have your includes offcourse at a directory outsite the wwwroot, but most of the time this isn't available<<<<
    0
     
    LVL 49

    Expert Comment

    by:Roonaan
    If wwwroot and myprivate are on the same server (which I suppose, because of your security questions), you'd better use
    <?php include 'c:/myprivatescripts/script1.script' ?>   ?

    But a well installed php server would not allow this in safe mode, therefor you have to add this directory to the list of openbasedir directories. how this is done, I am not sure.

    -r-
    0
     
    LVL 36

    Expert Comment

    by:Zyloch
    Well, in order to do that, you would have to create a whole new virtual directory. I have no idea how to do it since I don't work with IIS, but check this here: http://www.winnetmag.com/Web/Article/ArticleID/15605/Web_15605.html
    0
     
    LVL 2

    Author Comment

    by:x_terminat_or_3
    FYI I'm running my own server.
    0
     
    LVL 2

    Author Comment

    by:x_terminat_or_3
    But if I create a whole new virtual directory, it isn't private anymore is it?
    0
     
    LVL 49

    Expert Comment

    by:Roonaan
    http://nl3.php.net/features.safe-mode says something about an open_basedir setting in php.ini which can be used to set somekind of offline library tree.
    0
     
    LVL 36

    Expert Comment

    by:Zyloch
    Well, that's the only way I know that you can access it. Of course, you could try one more thing:

    <?php
    $fp=fopen("c:/myprivatescripts/script1.script");
    $contents=fread($fp,sizeof($fp));
    echo($contents);
    ?>

    Or try:

    <?php
    readfile("c:/myprivatescripts/script1.script");
    ?>

    Of course, you could also try changing the direction of the slashes, or maybe even file://c:/etc. but that's more for client side.
    Tons of things to try :-)

    Btw, the fopen thing is sort of what Roonaan was hinting at earlier. Most likely, your C and wwwroot aren't on the "same domain"

    0
     
    LVL 2

    Author Comment

    by:x_terminat_or_3
    Rooonaaan

    If I understand correctly

    Security and Safe Mode
    Table 41-1. Security and Safe Mode Configuration Directives

    safe_mode_include_dir NULL PHP_INI_SYSTEM

    I can set to c:\myprivatedir\script1.script

    ?


    Zyloch, what exactly do you mean by C and wwwroot being on the same domain?
    0
     
    LVL 36

    Expert Comment

    by:Zyloch
    Not quite sure what I'm talking about either, but check out what Roonaan has to say. Did you try the fopens?
    0
     
    LVL 8

    Accepted Solution

    by:
    Since you're talking wwwroot, I am assuming IIS. and since I don't have IIS 6, I am assuming IIS 5 .../-)

    As long as the PHP extension is mapped properly to the ISAPI filter, nobody is going to be able to see the source, unless you allow 'Script source access' in the site's properties, which is OFF by default. Here is the paranoia mode just for you: Open you IIS management console, click on the website that has the app of concern, go to a directory that has the includes in it, right click on it > Properties > Tab Directory > Uncheck all that is checked under local path and set execute permissions to none. Make sure the includes still work though, when included from other pages ...

    Of course all you includes end in .php, right?
    0
     
    LVL 2

    Author Comment

    by:x_terminat_or_3
    They yare now.

    Now when I type in the address of the script in the address bar, I get the http 403 !!!  Just like I want it.

    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone. Privacy Policy Terms of Use

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    As you all know PHP got one problem, before using other files classes or functions you need to include or use require function. But now in PHP 5 there's solution for this, it's called __autoload() function. You can read more about function in PHP ma…
    This article will explain how to display the first page of your Microsoft Word documents (e.g. .doc, .docx, etc...) as images in a web page programatically. I have scoured the web on a way to do this unsuccessfully. The goal is to produce something …
    Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
    The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

    860 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now