Php + mysql = security problem

Anon

Hello!
I've noticed a quite interesting problem with security while experimenting with php.

I use a one separate file for database connection string which I include at every file which needs it.

The problem is, that if I have for example, a file called exaample.php which needs this connection.inc they both need to be readable for users. Now, this generates a problem. Our server is used by somewhat >5000 people. Now, actually they all can come and read my mysql userid and password from this connection.inc file. (Of course they need to know the location and name of the file but still....) Now... Does anyone know how to deal with this problem? So, I want to have thsi include.inc file unreadable for the another users....

Jussi

andreash

Rename the .inc file to .php3.

Anon

Why would that make the file unreadable for other users?

I wouldn't know any real solution for this problem, tho.. here's something i just came up with:
making sure that nobody can list your directory contents is a partial solution, but then people can still know what your php files are called if they go to your website.
unless you make an x.php which includes the other files (and you get urls like yourdom.com/?p=pagecode&otherparams=some_more)! and then make a .htaccess with DirectoryIndex x.php and people will never know what files you have in your dir, and if they don't know the names, they cant read them 🙂
however, if they manage to find out the name, then you're screwed.
i'm no unix guru so there might be other ways to get the dir's contents, but i've never heard of them..
hmm, just thought of the fact that if there is no readable index.php they might just try to read .htaccess 🙂
anyway, this at least blocks some people.

Anon

Let's say:

$username = "admin";
$password = "$ErIgjth";

is located in /etc/blablahbalh.php and set to readable only by root and nobody.

exaample.php will include:
connection.php

where you do the mysql_connect()...
but within that file you include /etc/blablahbalh.php

hmbower

You could always move the connection.inc file outside of a web-accessible area, depending on the structure of your webserver. Then, to include it, you will need the full path to the file, but nobody can just pop the name of the file into a web browser and view it (nor should spider programs be able to grab it). I think this should work... unless I'm missing something. 🙂

(V)

Anon

None of these posts address the fact that anyone else who can write a php script on the same webserver (at an ISP) can <?cat /your/php/file.php?> and see the code that has the mysql user/pass in it, or see what other files they need to cat in order to get it.

Aside from safe_mode, how can you give php your mysql user/pass without risking someone else using cgi or php to read your source and get your password?

php4hosting

If PHP is running using suEXEC (CGI) then you can stop it but as a module you can't.

Its insecure and should only be used on a dedicated server where only you have access.

No fix... if the webserver can read it then someone can write a script to display the files.

Anon

If you have a non-public server, do what some other people mentioned by placing the include file outside the publicly accesed web space. If it is public, then you need to make sure that nobody can read the file (you should do this anyway). Apache should be running as its own user (lets say user httpd and group httpd for example) so what you do is 'chmod 400 connection.inc' and 'chown httpd.httpd connection.inc' which makes it only possible for the httpd user to read the file. Other users (except for root) should not be able to su to the user httpd. If your system is compromised in any way, the connection.inc will be vulerable but that should be the least of your worries in that situation 🙂

It may also be a good idea to rename it to connection.php or php3 so that if a folder transversal bug is ever found that it will be prosessed serverside before being sent to the browser and then it will not print out anything.

-Chris

theomnivore

set the owner/group to 'nobody' and set the permissions to allow others to only execute, not read the file.

php4hosting

How does this make it secure?

All you do as a user of the same webserver is write a php program to read the file content and display it.

Its not secure and can't be made secure unless using suEXEC.

At least I don't know of one 🙁

Anon

The problem is not that some "other" will find read the file. The problem is that you have to write the password somewhere where Apache can read it, which most people accomplish by writing the password in the php script.

What I'm saying is, if Apache can read the file to parse the php, then someone can write their own PHP script that reads in your file with the php source code.

So, aside from suExec, and php safe_mode, (since i'm trying to plan for someone being able to breakout of or circumvent those) how can you have PHP connect to MySQL or anything else that requires a password, without putting a cleartext password in the file, where anyone who can write a script that Apache executes can get at it?

Anon

My comment/question refers to a public server, like at an ISP. If you've got a private server where you don't let anyone in who you don't trust, then this isn't too much of a problem. But at an ISP where there's 1000 untrusted users all with access to write php, that seems to be a problem.

flight553

What does anyone think about, on a public server, where lots of untrusted users can write PHP, and supposing there is no safe_mode or suExec, you put your mysql password in httpd.conf in a VirtualHost or Directory section like:

SetEnv variable value

and then chmod httpd.conf root.root 400.

As I understand it, Apache starts up as root, reads that file, then drops privs to become the httpd user. Then Apache cannot be used to re-read the file and no one but root can read the file that has your password in it. When PHP runs in a file that the VirtualHost or Directory Section in the .conf file applies to the environmental variable $variable or getenv("variable") will be available to use to supply your password when needed.

Can pretend they are a "bad user" and say how they could defeat this?

Anon

It indeed WOULDN'T make the file unreadable to other users, however, it WOULD force the web server to run the .php3 file. .inc files are no doubt unknown by the web server, so they would be passed on to the browser.

Renaming the file is the best solution.

The other thing that can be done is to turn off directory browsing in the web server. This isn't a 100% solution, but it would surely cut down on the odds of a breakin.

nico wrote:

Why would that make the file unreadable for other users?

Anon

This include file is unreadable by users as long as in has a suffix ".php" and there is nothing printed out from it. If you type the name of the file straight into the browser you should see a blank page and when you view the source of this page it should again be blank.

php4hosting

That is still no benefit if users write a PHP script to read the content

Anon

eh.. so everyone can get your pass by doing getenv('mulderspass')?
doesn't sound like a good plan to me, but maybe i'm missing something 🙂

flight553

No, if you SetEnv inside a <Directory> or <VirtualHost> container:

<Directory /home/httpd/htdocs/mulder>
SetEnv mulderspass "scully"
</Directory>

<Virtualhost 192.168.72.25>
ServerName www.virtualdomain.com
DocumentRoot " /home/httpd/htdocs/mulder"
SetEnv mulderspass "scully"
</VirtualHost>

then the settings will only apply when it is serving files affected by that container. Getenv("mulderspass") should only work when Apache is serving files from under my virtualdomain's documentroot. Another user whose PHP scripts lived in /home/httpd/htdocs/scully/ would not have access to the environmental variable.

And if my files are readable only by UID me and GID apache (not other), then my password cannot be stolen by someone else's php script, cgi, perl script because my sourcecode does not have the password written there. The password is only written in httpd.conf, which would be only readable by UID 0 (which apache starts up as before it drops privs). My password in its environmental variable would only be available to my PHP scripts, no one elses.

php4hosting

Thats fine for people with access to httpd.conf but not normal users on a shared server.

I guess there isn't much option

flight553

Well I host my PHP4/MySQL site at http://MissoulaWeb.com for $10/month and they will do stuff like that for you. They really go out of their way to help.