Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Security?

Posted on 2004-10-22
20
Medium Priority
?
203 Views
Last Modified: 2008-03-17
Hi all

I've made several scripts that are pulled in my pages with include.  They are all stored in a directory that is unreferenced in the output.  


Is there any way somebody can discover their name and/or location and pull them from my server to obtain db passwords?


If the answer is YES!  OFF COURSE!


                 then please tell me what I should do to secure them.
0
Comment
Question by:x_terminat_or_3
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 7
  • 4
  • +1
20 Comments
 
LVL 49

Assisted Solution

by:Roonaan
Roonaan earned 300 total points
ID: 12384378
You should add .htaccess file to the directories which should not be entered.

The best would be to have your includes offcourse at a directory outsite the wwwroot, but most of the time this isn't available.

On the other hand. If you're files are marked as having .php extension, no one - except for those with ftp or system access - will have direct access to your db/pwd unless your config.php states something like "echo DB_PWD".

.htaccesss requires you to have Apache as webserver.

Regards

-r-
0
 
LVL 2

Author Comment

by:x_terminat_or_3
ID: 12384430
Roonaan, I don't have unix


I could place them outside the wwwroot, but how do I include them then


if for instance

wwwroot\thesite\page.php

wants to include a file from c:\myprivatescripts\script1.script

?

I don't have anything like echo db_pwd, I'm new to php, but I'm not crazy ;-)


What if
a/user makes a lucky guess and 'guesses' that there is a script named scripts.phscript in the directory templates and types it in the addressbar
b/the php plugin is offline (due to whatever reason)

?
0
 
LVL 36

Expert Comment

by:Zyloch
ID: 12384478
x_terminat_or_3,

Your passwords are safe. What Roonaan means is if you give your file the extensions .php, even if let's say your passwords are stored in passwords.php, even if the user makes, say:

<a href="http://www.yoursite.com/passwords.php">Get File</a> and right clicks and selects Save Target As, you will still only get the resulting HTML from the PHP, and if you don't have echo(), there will be no resulting HTML.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 2

Author Comment

by:x_terminat_or_3
ID: 12384502
but still, if a virus deletes the php.ini file, php wil not parse the php files.  and output will be the orignal script right?
0
 
LVL 49

Expert Comment

by:Roonaan
ID: 12384531
Not necesarily. It could also be that apache handles something when php doesn't get loaded correctly. I think it shows an internal server error messages.

But to make sure, you could always add that  htaccess.

::Offtopic::
Good to see you around ZyLoch :-)
0
 
LVL 36

Assisted Solution

by:Zyloch
Zyloch earned 300 total points
ID: 12384569
Ah, so you're worried about that, I see. Well, in that case, you would just have to secure your server. I mean, for all you know, if that virus can delete your php.ini file, then what's to say it can't just open up your password file by itself and read it? If something gets that close to home, there's nothing you can do. You can keep it more safe with .htaccess like Roonaan suggested (you don't need Unix to get Apache, and in fact, Apache 2, although not recommended with php 3rd party libraries, is built for Windows). However, I repeat, what's to say that if someone gets a virus in your computer and can delete your php.ini file, it might as well disable your whole server too, or better yet, be a trojan and steal your passwords.

So basically, if anyone gets a virus into your server, you're screwed and there's nothing you can do no matter how many security measures you take, that will keep that virus from getting your passwords if the virus maker is clever enough, since a virus would have to be on your server to delete your php.ini file and you would probably have to run it (or someone else does on your server, which makes this irrelevant because they would then have your password anyways).

In conclusion, basically, that's why firewalls exist. But if your SERVER is well protected, so is your passwords.
0
 
LVL 36

Expert Comment

by:Zyloch
ID: 12384581
::Offtopic Reply::
Thanks, school's been a -ahem lol.
0
 
LVL 2

Author Comment

by:x_terminat_or_3
ID: 12384635
Thanks all for your info.


There is, however one open issue in this question:


if for instance

wwwroot\thesite\page.php

wants to include a file from c:\myprivatescripts\script1.script

how do I reference it in the the page

do I say

<?php include 'c:\myprivatescripts\script1.script' ?>   ?
0
 
LVL 36

Expert Comment

by:Zyloch
ID: 12384680
No. You can't do that. You have to upload script1.script to the server.
0
 
LVL 2

Author Comment

by:x_terminat_or_3
ID: 12384720
QUOTE from Roonaan's comment:

>>>>The best would be to have your includes offcourse at a directory outsite the wwwroot, but most of the time this isn't available<<<<
0
 
LVL 49

Expert Comment

by:Roonaan
ID: 12384728
If wwwroot and myprivate are on the same server (which I suppose, because of your security questions), you'd better use
<?php include 'c:/myprivatescripts/script1.script' ?>   ?

But a well installed php server would not allow this in safe mode, therefor you have to add this directory to the list of openbasedir directories. how this is done, I am not sure.

-r-
0
 
LVL 36

Expert Comment

by:Zyloch
ID: 12384749
Well, in order to do that, you would have to create a whole new virtual directory. I have no idea how to do it since I don't work with IIS, but check this here: http://www.winnetmag.com/Web/Article/ArticleID/15605/Web_15605.html
0
 
LVL 2

Author Comment

by:x_terminat_or_3
ID: 12384774
FYI I'm running my own server.
0
 
LVL 2

Author Comment

by:x_terminat_or_3
ID: 12384801
But if I create a whole new virtual directory, it isn't private anymore is it?
0
 
LVL 49

Expert Comment

by:Roonaan
ID: 12384831
http://nl3.php.net/features.safe-mode says something about an open_basedir setting in php.ini which can be used to set somekind of offline library tree.
0
 
LVL 36

Expert Comment

by:Zyloch
ID: 12384861
Well, that's the only way I know that you can access it. Of course, you could try one more thing:

<?php
$fp=fopen("c:/myprivatescripts/script1.script");
$contents=fread($fp,sizeof($fp));
echo($contents);
?>

Or try:

<?php
readfile("c:/myprivatescripts/script1.script");
?>

Of course, you could also try changing the direction of the slashes, or maybe even file://c:/etc. but that's more for client side.
Tons of things to try :-)

Btw, the fopen thing is sort of what Roonaan was hinting at earlier. Most likely, your C and wwwroot aren't on the "same domain"

0
 
LVL 2

Author Comment

by:x_terminat_or_3
ID: 12385158
Rooonaaan

If I understand correctly

Security and Safe Mode
Table 41-1. Security and Safe Mode Configuration Directives

safe_mode_include_dir NULL PHP_INI_SYSTEM

I can set to c:\myprivatedir\script1.script

?


Zyloch, what exactly do you mean by C and wwwroot being on the same domain?
0
 
LVL 36

Expert Comment

by:Zyloch
ID: 12385678
Not quite sure what I'm talking about either, but check out what Roonaan has to say. Did you try the fopens?
0
 
LVL 8

Accepted Solution

by:
sigmacon earned 600 total points
ID: 12386778
Since you're talking wwwroot, I am assuming IIS. and since I don't have IIS 6, I am assuming IIS 5 .../-)

As long as the PHP extension is mapped properly to the ISAPI filter, nobody is going to be able to see the source, unless you allow 'Script source access' in the site's properties, which is OFF by default. Here is the paranoia mode just for you: Open you IIS management console, click on the website that has the app of concern, go to a directory that has the includes in it, right click on it > Properties > Tab Directory > Uncheck all that is checked under local path and set execute permissions to none. Make sure the includes still work though, when included from other pages ...

Of course all you includes end in .php, right?
0
 
LVL 2

Author Comment

by:x_terminat_or_3
ID: 12387304
They yare now.

Now when I type in the address of the script in the address bar, I get the http 403 !!!  Just like I want it.

0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo‚Ķ
Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
The viewer will learn how to dynamically set the form action using jQuery.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question