Remote Requires?

Wraith2700

I am making a website that will generate a config.php when
install.php is run, it contains the database name, user, and
password in an array.

Lets say some one knows the name of this array, and writes a
script that will include the http://www.somesite.com/config.php
and will then print out the contents of the array.

Is this possible? If so how would I stop this, I made a script to
play around with it to try stopping that and this is what I came up
with.

$config = array(
                "db_host"=>"localhost",
                "db_name"=>"someDB",
                "db_usr"=>"someUser",
                "db_pwd"=>"somePass",
                "websiteurl"=>"http://www.somesite.com/Website/"
);

if(substr($config[websiteurl], strlen($config[websiteurl]) - 1, 1) != "/")
                $config[websiteurl] = $config[websiteurl] . "/";

$currentURL = $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF'];
$url = $config[websiteurl] . "index.php";

if(substr($currentURL, 0, 4) == "www.")
                $currentURL = substr_replace($currentURL, '', 0, 4);

if(substr($url, 0, 4) == "www.")
                $url = substr_replace($url, '', 0, 4);

if($currentURL != $url)
{
                unset($config);
                exit;
}

But as you can see if someone sets there hosts for
www.somesite.com to point to there own server and make
there own script called index.php which includes config.php then
if they can include files remotely then they will have the database
user used by the website.

AstroTeg

This is pretty easy to experiment with (although you'd need to web servers running PHP).

You'll find if you include a PHP (or any other file) located on another server, you will only get the result's output of the file. (as if you had plugged it into your browser). If the file doesn't show anything in the browser, then you won't get anything when you try to include said file.

Wraith2700

Thanks alot!

OK, new scenario.

Lets say this website is hosted on a shared hosting server,
would any other websites on this server be able to include the
config file and be able to print the variables?

rehfeld

this depends on how securely the server is set up.

on many hosts, i would say yes others could fetch your files.

theres MANY possibilities, you would be best googling for shared server security and reading up on it if security is a big issue. its an enormous topic.

php's safemode and openbase_dir and helpfull to combat the shared server security problems, but they have drawbacks and are not perfect, and cant be.

but those php settings can do nothing at all to stop someone from just using cgi to fetch your files....

i would ask your host about this. they know how the server is configed, and should know whats possible/easy to do and whats not.

AstroTeg

Yes, this tends to be a problem. If you want the ultimate in security get your own dedicated server. This will prevent others from breaking your site/security and will allow you more control over your security setup (meaning you have complete control over security config of your server).

Alternatively, you might have your script you want to protect check if its being called within its own directory. I think this can be done, but I'm not sure.

Not that phpBB is all that secure, but they have this snippet of code in all their include files:

if ( !defined('IN_PHPBB') )
{
	die("Hacking attempt");
}

Where IN_PHPBB gets defined elsewhere in your web app(s). Granted, if someone can access your files and read them, they'll be able to write code to work around the above code.

rehfeld

that wont help protect you if they arent parsing the file...and they most likely wouldnt be parsing it/including it. they can parse it later after looking at it.

all they need to do is read your file...like using fopen() or file_get_contents()

then no matter what you do in your script its not gonna stop them from seeing it.

and again, they could also use cgi...