How do you pass this security hole?

storm

Hello!

As you know, when PHP script is connecting to database, it should use login and password for that database.

Usually, login and password are located in that script (or in any other text file like setup.php etc...).

In the Apache settings of my provider, all scripts from all users executed from the name of the group "www".

So, any user of my provider can write script that will be executed from group "www", and that script can read my script, where login and password are located.

How can I hide source of one script from another script if they are executed from same group?

toma42

use the zend encoder or use your own trusted server.

[deleted]

Can the zend encode force an encryption so that only files encrypted by that same person or password are readable?

toma42

Nope.. Really, I think Storm's problem is a non-issue. If he keeps his uid & password include file out of web root, why can't he trust his ISP/web host to not bother with his stuff?

Does using /~userid use the same restriction on readable vars?

[deleted]

Exactly who can you trust? :-)

The thing is, if it's a shared server that uses one webserver process to handle
all the customers that shared the site (bad scenario, but poo happens),
then the webserver needs read-access to all the PHP scripts, of all the users.
That means once you get access to PHP, you get access to all the files that PHP can read, including all the PHP files that are outside the webroot.

Ofcourse you still have to read the sourcecode to find out which file contains the
username and password, but that's easy.

storm

YES! You absolutely right!

I wrote script and I checked it on the server of my provider.

My script can read files of other users on this server, if these files are readable for apache (i am using full path when calling them).

And the only thing I thinked out - is to make process of finding password little more complicated. It is possible to make excutable file with only "x" permissions, and this file will be giving necessary variables on output when it executed by PHP script.

Sure, it is not a solution, cause another script will be able to execute it also, but at least password will not be seen in the body of the script.

Maybe you know any method to solve this somehow without using tool of another developer (I mean Zend 🙂

Or there's no another exit?

[deleted]

On a shared setup with one apache server, it is like trying to hide something from yourself. If every other user can read the code, they can also see what you are doing to get the password.

The best thing you can do is ask your ISP to change the setup so that every user gets his own apache service, running under a seperate ID (not the userid)

plutarck

The other way is how some places do javascript based authentication. I can't recall the url of the place I'm thinking of...

Anyway, the idea is to make the loops and controls so cryptic and confusing and hard to read that it's extremely difficult to figure out what the script even does, much less extract the password and username.

But ultimately it's still possible, but most people won't want to bother to try.

Beyond that, you have little choice in the matter.

[deleted]

That's an idea, but you'd have to make it pretty complex. Remember, on a shared server like this, you also have access to the source that needs the password, so you can just copy the code and away you go.. 🙁

php4hosting

There is actually another simple method but requires the help of your ISP (And their time).

The own Apache per user is not an option unless customers are willing to pay for it as it demands extra memory and resources (Inc an IP per customer).

The only way to do it (AFAIK) is as follows (Well mostly your ISP):-
what you have to do is remove your entry for the virtual host entry (In httpd.conf).

Put this into a file that is only readable by the user, within the VirtualHost directive put :-

<Directory /home/username/web>
SetEnv MYSQLPWD secret_pwd
</Directory>

Now chmod and chown the file then include it in httpd.conf using the Include statement

Now in your PHP scripts you use $pwd=getenv("MYSQLPWD");
$pwd then equals secret_pwd;

Make sure you don't use phpinfo in that directory or you will show the whole world your password.

It works as we have used it many times. Good luck with this method! You will need an accommodating host and I would suspect they might charge a little for their time but lets face it its much better this way then the standard free for all.

Regards

Darren Casey

HTTP://WWW.PHP4HOSTING.COM ($)
HTTP://WWW.PHP4HOSTING.CO.UK (£)

[deleted]

The own apache server is the only truely safe way.
Most of the time you'll have your own IP anyway, and that few extra MB's of memory shouldn't be a problem,
because the signle server setup would need half of that amount anyway to keep up with demand.

Can you give a more explicit example of what you do, because the explenation here is wuite confusing, remove this from httpd.conf, then chmod it, edit it, chmode it again (to some unknown value) and include it again? :-)

But if the fiule is readable by apache, doesn't that mean it's readable by PHP too?

php4hosting

The own apache server is the only truely safe way.

No its not, the method I explained is perfectly secure if setup properly

But if the fiule is readable by apache, doesn't that mean it's readable by PHP too?

No as apache always starts up as root, it then drops to the user in httpd.conf and keeps the config in memory.

The explanation is very simple, remove the virtual host directive from httpd.conf and place in a file only readable by the user (That is securing their password)

Include this in the httpd.conf

Simple

Darren
http://www.php4hosting.com

[deleted]

Aha, now I understand. The root-part is the trick.

But you'd have to make sure that the 'included' file can not be written to by the user.

Anon

and how should I setup Apache to not show my php sources to everyone?

do you know some url to "chroot howto" ??

php4hosting

If you follow my example you don't have to worry. If you don't understand my example then this solution is not for you

Regards
Darren

storm

Hi again.

I started this thread, and hope will finish it 🙂 Here is description of a parameter that must be set in php.ini

open_basedir string
Limit the files that can be opened by PHP to the specified directory-tree.

When a script tries to open a file with, for example, fopen or gzopen, the location of the file is checked. When the file is outside the specified directory-tree, PHP will refuse to open it. All symbolic links are resolved, so it's not possible to avoid this restriction with a symlink.

The special value . indicates that the directory in which the script is stored will be used as base-directory.

Under Windows, separate the directories with a semicolon. On all other systems, separate the directories with a colon. As an Apache module, open_basedir paths from parent directories are now automatically inherited.

There is also examples of using this parameter in errata manual at php.net

Thank you all, you helped me very much.
It was really good to look at this problem from different sides.

php4hosting

While this stops PHP using an fopen it doesn't plug the hole.

My method is the only sure way to acheive this.

But it does help deter people

Regards
Darren

storm

Yes, you right, base_opendir it is only part of solution, to not let php scripts go out from some dirs. But I didn't find another way to solve this only with php.

Thank you for your method, I don't think it will be too much additional work for ISP to write these directives 🙂

But your method is also not a complete solution, it can only hide password (or any other variables written by ISP), but source of the script will be visible anyway.

And you must agree - if someone can see source, he can find holes in script itself (sure, depends from author of the script), and probability of hacking is increasing anyway.

Anon

hi,

I tried ur method does work well for passwords. but still the scripts are visible. I tried with safe mode where you can open a file only if the uid and gid matches that of the running script. I think that is the best way. But are there lot of limitation with safe mode enabled. - i was not able to use settimelimit().
advance tnx
regards

php4hosting

If you use storms method as well it will stop most php attacks at viewing source

Darren