Question about Security of PHP files that aren't supposed to be seen

marcnyc

Hello I have been asking myself this question for a long time but now I am faced with a real life scenario and I'd apprecaite some expert advice...

I have just installed a new script at my site. The script's developer advises to put the configuration.php script in a NON publicly accessible directory on my server... Unfortunately I do not have any such directory... all the directories (except for the cgi-bin) behind my root folder on my server don't allow me to create a new folder/file.

I though of moving the file to another folder and changing the folder's permissions to 000 or adding a .htaccess and .htpassword file but I think that would even prevent the normal script that needs that file to access it, wouldn't it?

Hence the question:

If a sensitive PHP configuration file is placed in a publicly accessible directory of a site, is it possible for someone to access it and read it's contents (such as MySQL password etc)?

Here are my points and the ways I would use to HACK into my own server (I hope you can add yours):

a PHP file does not output anything to the browser unless there is an echo, print, print_r command or something because everything between <? and ?> is not shown in the browser
if I access configuarion.php on my page I see nothing but a blank page and if I look at its html code I see head and body tags and that's about it...
it is not possible to access the file via FTP because my server does not allow for anonymous access
if I create a html file on my local drive and I create a link to the config.php file and then I open that local page in my browser and I use "Save Target As..." right-click button (on Windows IE) to save the file on the hard disk without opening it first the page still comes out empty!

Therefore I would think I'd be on the safe side but I am sure that if the developer advises against it there must be some reason, so I ask:

is there some way that an expert user/hacker/lucky person can see what is contained in the PHP file?
is there some way or software to look at a browser's memory (as opposed to output) that somebody can look at if and what and which variables are assigned to what???

This is my big doubt...

If none of you can tell me off then tell me if in your opinion I am safe leaving my configuration.php file in a public access folder on my site...

Are the script's developers crazy paranoid? What is the deal with all of this?

Let's talk security, shall we? ;-)
Thanks for your contribution to a safer server (of mine ;-))

martyn

Well i think you are quite safe as PHP is server side.

The PHP file is ran through the PHP program on the server, the HTML then created is sent to the client (Browser).

I have not seen many cases of people being able to look in the PHP file while it is on the server.

The only way i can see to do it is with a FTP program, this would involve trying loads of password combinations which will take loads of time. Also the username would be needed so it too will take a long time.

There are other methods to hack FTP, such as hacking your comp and monitoring the ports to see what info is baing sent/received, and as FTP does not encrypt the data before sending your password/username will be visible.

Using SSH or something similar would sove this problem, but the chances of a hacker finding your IP would he very low, and the chances of you FTP'ing at that particular time would be very very low too. And having firewalls (software and hardware) would also help a great deal as a deterant/stoping means.

Just to let you know there is a good chance i am wrong, but if i am some others will post and tell you 😉

Regards,
- MP

marcnyc

What is SSH? Do you mean SSI or SSL?

dalecosp

Originally posted by marcnyc
What is SSH? Do you mean SSI or SSL?

SecureSHell, which you might say is 'encrypted telnet,' but that definition doesn't really do it justice either...

On the real subject, I haven't yet given it enough thought, but what about something like this:

$file='http://yourserver.com/your_sensitive_script.php';
$fp=fopen($file, "r");
$code=fread($fp, filesize($file));
highlight_file($code);

I am NOT a hacker, and I don't play one on TV...

mogster

The last first:

The $file='http://yourserver.com/your_sensitive_script.php'; still uses the http-protocol, and the result from that file would be the parsed result = some html.
This is the method used for retrieve-scripts, that opens a remote file and returns html for tag-stripping and such.

A comment to the possibility of sensitive vars being accessible:
This is just the same as if the file was included from a secret dir outside the web. The vars would still be accessible in the main script, wouldn't they?
And it being present in readable state in web_root, the vars would be as easily manipulated as in the db_connect.php. Which is a bit diffucult, I think.

As for php being fooled to display it's real self😉 :
I trust the parser completely.
And if there was a method for this, it would be a huge bug! And a huge security-issue in php! I haven't read all info there is at php.net, but I'm quite sure misself (and many more) would have noticed it.
Php is considered rather safe by now, and if there were such issues present, well - no one would use it for production sites.
There is ftp, that's true. But if your web-dir is accessible by ftp, there's a chance the whole directory-structure would be readable?

But there's another issue: other users at the same server may include your file from their own dir. There's no way around this execpt setting apache to run a separate session for each user - and this is impractical, since it would increase serverload.
Every php-user uses the same rights for read/write, and if the other user does
include("../../../your_webdir/your_secret_file.php");
you won't be able to prevent it.
I guess this would apply mostly to public servers with many users.

knutm

marcnyc

Originally posted by mogster
The last first:
The $file='http://yourserver.com/your_sensitive_script.php'; still uses the http-protocol, and the result from that file would be the parsed result = some html.
This is the method used for retrieve-scripts, that opens a remote file and returns html for tag-stripping and such.

So you are saying it wouldn't work?

A comment to the possibility of sensitive vars being accessible:
This is just the same as if the file was included from a secret dir outside the web. The vars would still be accessible in the main script, wouldn't they?
And it being present in readable state in web_root, the vars would be as easily manipulated as in the db_connect.php. Which is a bit diffucult, I think.

I don't know what db_connect.php is but once the file is included and used by the main script the variables are, so to say, flying around and not displayed...

As for php being fooled to display it's real self😉 :
I trust the parser completely.
And if there was a method for this, it would be a huge bug! And a huge security-issue in php! I haven't read all info there is at php.net, but I'm quite sure misself (and many more) would have noticed it.
Php is considered rather safe by now, and if there were such issues present, well - no one would use it for production sites.

Your confidence is reassuring but tell me why then where the developers of the script so aggressively emphasizing that that sensitive file should be outside of a publicly accessible dir?

What it really comes down to here is that somebody might wanna get the db name, db user name and db password... Can they do it in ANY way if the file is in a public folder?

There is ftp, that's true. But if your web-dir is accessible by ftp, there's a chance the whole directory-structure would be readable?

Actually like I said in my particular case my host does not allow anonymous FTP access so I think I am safe...

But there's another issue: other users at the same server may include your file from their own dir. There's no way around this execpt setting apache to run a separate session for each user - and this is impractical, since it would increase serverload.
Every php-user uses the same rights for read/write, and if the other user does
include("../../../your_webdir/your_secret_file.php");
you won't be able to prevent it.
I guess this would apply mostly to public servers with many users.
knutm

I might be wrong saying this but I don't think that other users of the same host would have more luck in including my file with include() than somebody on a different server would have using require().

But then again, even if they do include() or require() the file can they SEE what is INSIDE??? That is the real question... We know you can get to the file in some way, but can you read it?

marcnyc

I tried dalecosp's solution:

$file='http://yourserver.com/your_sensitive_script.php';
$fp=fopen($file, "r");
$code=fread($fp, filesize($file));
highlight_file($code);

and I got this:

Warning: stat failed for http://www.chaindlk.org/configuration.php (errno=2 - No such file or directory) in hack.php on line 5

Warning: SAFE MODE Restriction in effect. The script with your uid is not allowed to access a file owned by another uid in hack.php on line 6

marcnyc

I also tried another external file with this code:

<?
require('http://www.chaindlk.org/configuration.php');
echo $var1;
print $var['path'];
print_r($states);
?>

where those vars and the array are actuall in the sensitive file but I got NO output at all, none whatsoever, not even an error, which leaves me wondering if it even included/required that file...

mogster

Hi!

Long and winding post, but I'll try to answer 😉 :

So you are saying it wouldn't work? ($file=...)
Yes, I don't think php will give you any values, except the ones that are actually echoed into the remote file on parse.

The same for include('http://remote.com/remote.php');

But I've read a bit on php.net, and the answer the provide is rather vague:

If "URL fopen wrappers" are enabled in PHP (which they are in the default configuration), you can specify the file to be included using an URL (via HTTP or other supported wrapper - see Appendix I for a list of protocols) instead of a local pathname. If the target server interprets the target file as PHP code, variables may be passed to the included file using an URL request string as used with HTTP GET. This is not strictly speaking the same thing as including the file and having it inherit the parent file's variable scope; the script is actually being run on the remote server and the result is then being included into the local script.

It seems you have to call the values in the include() statement:
include('http://remote.com?var=2&var2=3');
But this will not let the remote script send any values back, but the result of your query ?var=2&var2=3 (And not even those, but their result)
It is, as far as i know, sent as straight html, because the remote server will treat the request as a standard http-request and send only parsed content back.

But hey - I'm no expert on this, just a thought 😃

Warning: SAFE MODE Restriction in effect. The script with your uid is not allowed to access a file owned by another uid in hack.php on line 6

Ah, they're running in safe mode. On some servers with many users, this will prevent other users at same server from viewving each others code. Just read about it in a php book 😉
Strange that it would treat your request that way, though - since it was from a remote server.

Your confidence is reassuring but tell me why then where the developers of the script so aggressively emphasizing that that sensitive file should be outside of a publicly accessible dir?

Probably because they tend to be as inc, which won't be treated as a standalone page, and where (some of) the php will be echoed "as is". This may be avoided by telling apache to treat inc's as php, but more than often it isn't done.
There's a huge difference between php-scripts and other files in this respect - the php-file is able to protect itself from viewers, while a txt-file would be viewable to all (if it is for php).
You can also protect any files from being viewed under your web-dir by placing deny-statements in httpd.conf:
<Location /includes/*.inc>
Order deny,allow
Deny from all
</Location>
I also think you may use this in .htaccess, but I'm not sure how.

knutm

marcnyc

Mogster, to answer three things you pointed out:

Actually safe_mode is disabled, so that makes it even stranger...
the file is actually a .php, not a .inc
I am no expert in Apache configuration but the code you posted seems a valid .htaccess syntax to me and might just do what we need.
Can anybody please confirm that it is correct syntax for .htaccess and that it will do the right thing... Also what exactly will this prevent? Cause we still have to let the script access the file, you know?

mogster

Yo!

Maybe this is just php's way to treat exploit-attempts. I don't know.
OK. I would trust this to be safe in the web-dir if you don't echo anything.
It will prevent apache from delivering the stuff to a http-rewuest. That is, it will if you set this under virtualhosts. I don't know about .htaccess (but also believe that it would work).

I've been thinking: what if you check the db_connect wether it's an include or not?

if($_SERVER['PHP_SELF'] == "http://www.yourdomain.com/db_connect.php") {
die("This file may only be included!");
}

The value of php_self would be different if it's included in another script.
Haven't tested it, but it seems logical 😃

knutm

mogster

Yeah, that last one works, but php_self just contain the path from doc_root:

if($_SERVER['PHP_SELF'] == "/db_connect.php") {
die("This file may only be included!");
}

knutm

marcnyc

Two questions:

where would I put this code?

When you say db_connect.php are you referring to my file called configuration.php?

mogster

The code would be put on top of your configuration.php, and the db_connect.php was a name for that, yes 😉

Try it: create a script that includes configuration.php and run it. No error prints. Then run configuration.php in your browser and it'll print the error.

But I would change the die() to a header-location instead:

if($_SERVER['PHP_SELF'] == "/configuration.php") {
header("Location:index.php");
## Then die silently as an extra precaution ##
die();
}

knutm

cakkafracle

Anyone hear ever heard of 'wget'?

It's a unix/linux command line app that lets you grab files from web servers through http

I suggest you look into it.

I just downloaded a .php file from my webserver using this command.

ex:

wget http://mydomain.com/includes/mypasswords.php

or whatever.

So, THIS is why extra special spiiffy scripts should be OUTSIDE the webserver public areas.

my two bits

Cakk