Kirk Parker

Anon

Hey Kirk, I've seen you reply to lots of messages here at this forum. Are you an administrator? Or do you just like helping people out A LOT.

Anyways, please check out my post "Username and Password" just below this one.

brandonschnell

or he could be like many of us that are bored out of our minds while we're at work.

kparker

Actually, akozlov has already said it all. Regardless of whether you're storing the password in a text file or a database, it's a very good idea to store the md5 hash and not the plaintext--especially if you're on a shared server, where your server-mates could easily gain access to your files even if browsers can't.

kparker

VBG!

Anon

Every time I read a post, I hear how easy it is for people to gain access to my stuff. But is it really? I have no clue how to access other people's directories who share the same server as I do.

How can they easily gain access? Or are we just assuming that there are people of huge intellect that go around stuffing their noses in people's files?

[deleted]

Uhm... yes there are people of huge intellect that put their noses into your files. They are called hackers and system-administrators.
Hackers do it because it's a sport or they just have no life :-) System admins do it to see if their server is still safe. If admins can get into your files (without using the admin accounts ofcourse) so can malicious hackers.

Here's a short version of a discussion that was held here a few days ago:
If you are on a 'bad' shared server, all users will share the same webserver process. That means all the html and php files of all users are read by the same process. So, if you can read your own config file using php, that means the webserver can read the config file. And because all the users use the same webserver, they too can read your config file. It's just matter of finding the filename, and that's usually printed in your sourcecode.

Or they couold just write a PHP script that scans your directory structure looking for files that can be read by the webserver.

It's really not that difficult.

Security is very important.

kparker

I have no clue how to access
other people's directories who share the same server as I do.

Very well; I'll help keep it that way by not telling you how. :-)
Nevertheless, security-by-obscurity is generally considered to
be a weak policy.

lucidfx

Some things are relatively easy, I am a sysadmin for my school and wrote a php script that makes directory listings and makes it able to display all files in anyones folder, since it runs as the webserver it displays everyones files including mysql password and usernames.

I also tried this script on a webhosting place that I use and it also worked there, I could browse the file system and read anything the webserver can. Im not doing it maliciously but you have to tamper with systems to secure them.

Main power of this script is from being able to run the command line executes of LS ect.
Trying to figure out some solutions without disabiling command line executes in php.

frymaster

being able to run the command line stuff is definitely a weakness (security wise) personally, i set the $PATH of the account that runs apache to /usr/hyphen/bin (hyphen is my apache account) and then make symbolic links for all the commands i'll need. it means that any malicious attempt to run something like chmod, sudo, rm, chatter or whatever will need to know the full path. Normally that's not hard, but the TRULY paranoid can go and change the directory names for all the bins (and, of course, update their $PATHs). For even more paranoia, you can write small C wrappers on all your local commands, ie

int main(int argc, char *argv[])
{

char command[50];
FILE *fp;

fp = fopen("/tmp/log", "r");
fwrite(fp, "somebody ran the cat command");
fclose(fp);

strcpy(command, argv[1]);
strcat(command, argv[2]);
system(command);

}

that will log them being called. Note that the above code has a very good chance of not working (C is getting rusty... sigh).

sorry about the blabbering....

-frymaster

[deleted]

If you are that paranoid (rightfully so) you should probably use the safe mode, which limits the executable programs to a pre-defined directory.
If it's not in there, it doesn't execute.

usually just having the rights for your webserver set to a sane setting will block most attacks, but there's no protection agains "dumb" users. 🙂