impossible to secure php scripts?!? wtf

papillon

Well, seeing how anyone with shell access can simply pico /home/myname/script.php on a shared serverI decided to search for a solution .. I read about php wrapping so I asked my provider if they allowed it, this was the response:

"Unfortunately because this is a shared hosting environment, enabling phpwrap could allow a hacker to potentionally access any file on our server if one of our customers were to write insecure code. Because we cannot trust that all of our users will use secure php scripts, wrappers are disabled by default (this is also the Cpanel default and we have to use what Cpanel uses). Changing the php configuration could also break other users scripts who are currently on the server.

There is a way around this though. You can chmod 640 scriptname "

Hmm ..that's what he says. However if I chmod the script 640, Its unusable through the web .. I get an error message ..

Other than shelling out $2k for zend encoder, is there absolutely nothing we can do to protect our scripts from other users? I cant have just every user be able to pico my scripts and grab all the passwords and what not ... is there no solution to my problem? Why do I get the feeling that most people don't even know that any user can pico their scripts when I talk to them? PLEASE HELP!!!!

nightowl

my scripts are hosted in a shared environment too. The server is running as beloging to group webserver, we, the users belong to the group users. If I set the directories of my site as belonging to group "webserver" and give the group read-persmissions but not to the world, it works fine. The server can see it but the users (which don't belong to webserver) can't. Probably that is what you need to do too: set the group of your script to the group the webserver is running under.

papillon

yes and anyone can write a script which will run as webserver and read the files still ... I can't believe I am not getting any response on what's supposed to be an 'expert' forum :/

mykg4orce

get a better host...

papillon

Originally posted by mykg4orce
get a better host...

I guess that would be another way of saying, 'Dont ask me I am stupid'

enterume

In my point of view, our scirpt is never being secure in share-hosting. Once the 'root' login, then able to get anythign from our scirpt.... transparently. 🙁 but somehow, some customer don't care about their source being 'hijack' , just care about their website uptime. But for as developer, the first thing we will condiser in 'share hosting' is .. 'protect' our code, if can hide from root is better still.

asking the share hosting compnay to install Zend encoder is even more though as it cost around 2k , unless u share half with them. 🆒

Thanks
Louis

malbera

? I cant have just every user be able to pico my scripts and grab all the passwords and what not ... is there no solution to my problem?

do you have a file with lot of passwords? on a shared server? lol

I guess that would be another way of saying, 'Dont ask me I am stupid'

:eek: :eek:

nightowl

the same server I am running my scripts on, allows me to have them executed by the cgi module of PHP. This module runs under my own user id, so that I can prevent the scripts from being world or even group readable. This is the most secure way I can think of : only I (and the root) has to be able to read the scripts for them to be executable. No other user can read them ! Am I wrong ?

mykg4orce

papillon, i say why the anger?

see papillon, anger + PHP = unsecure scripts..

Rayn

make your own encoder using file function and reg expressions.

k_jazz

You think uzas won't be able to get your encoder.php
the same way they get the rest of your code ?😉
May be I am stupid but I'm not coding for them.
Anyway :mad: :mad: :mad: SHARED:mad: :mad: :mad: HOSTING is for HTML not for secure
coding...

mykg4orce

get a better host...

oops! didn't i make a similar post? Oops Im getting angry, oh well atleast my host isn't shared

nightowl

I guess my solution of running PHP as CGI still holds ?

recompiler

As others have pointed out, use proper chmod on your directory, download a script obfuscator that will leave yor code parsable, but give any human trying to read it dyslexia, also DONOT DONOT have a file-o-passwords, use .htaccess instead. Also try having your obfuscated files in a non web accessible directory, and have a just one servlet file access them and parse them based on obscure rules. Not a perfect solution but if your too cheap to get a better hosting provider it'll have to do.

Vlad G.

spectre013

If your host has your root dir set to your httpdocs(some times one dir above that) then you shouldn't be able to look at any file you don't own out side of your dir.

With safe mode and open base dir you cant even use php scripts to include other scripts.

If your host is not set up in this way I suggest you find a new host.

papillon

half the scripts on server would break with safe mode on.. the host is excellent btw.

anilgk

Try PHPGuardian (http://www.phpguardian.com)

Its a lot cheaper than zend encoder.

I have tried their demo version and really liked the product.

Hope this info helps solve your problem.

Cheers!
Anil🙂