Passwords HELP

Anon

Ok I'm storing all the usernames and md5 encrypted passwords in a text file. I figured I would just chmod the text file to 700 so no one could read the text file with their browser, but when I do that it doesn't allow my program to write to the file. I can only get it to work if users are able to see the text file. How can I change this?

Also, could I use .htpasswd to store the passwords and usernames?

brandonschnell

1) either place the password file outside of the web root (as in /home/username/passwords) or use the file name .htpasswd.

using the .htpasswd file as a password file would work because by default apache is setup to prevent users from downloading the file.

2) if you intend to add users yourself you 'll need to make the file readable by apache (chmod 744). otherwise, if your php script will add users make the file writeable to the user/group apache is running as. this typically means chmod 746. but this means that anyone else on your server can write to the file.

3) encrypt passwords in the text file using md5 or another one way password encryption method. when the user tries to login, take what they've typed and md5 it, then compare it against the text file.

but regardless of what you do, this method isn't very secure against other users who might be on your server. and security can get worse as you automate the process. consider using a database (which has an entirely new set of security).

Anon

But how do i use .htpasswd??

In my script what I do is I open up the text file and write to it:

$fp = fopen("textfile.txt");
fwrite ($fp, "$username,$password");
fclose($fp);

How do I do it with .htpasswd?

$fp = fopen(".htpasswd") ?????

brandonschnell

.htpasswd is typically used as part of a commonly authentication module for apache. in this case just name your password file .htpasswd and store "username,password" on every line. handle it like you're using the textfile.txt. but if you can write to the file in php so can any other user on your server.

Anon

How can people on my server write to my text files??

They write a script like this:

$fp = fopen("http://www.sameserver.com/file.txt", "w");
fwrite ($fp, "hello world");
fclose ($fp);

Yes?? How can they do it?

brandonschnell

most web hosting companies place multiple users on one server. if apache has read/write access to the file, then any other user on the server will also have access to your password file.

Anon

But Im asking you HOW??? Fine, you say other users on the same server as mine have read/write access to my textfile, but HOW CAN THEY WRITE TO IT???? It's a simple question.

I asked if a script like this would work:

$fp = fopen("http://www.username2.f2s.com/file.txt", "w");
fwrite ($fp, "hello world");
fclose ($fp);

If my username were username1, and I wanted to write to username2's file.txt
We're both on the same server, lets say (194.103.33.44), both at f2s.com.

Would the script work? If not, ...
HOW COULD SOMEONE ELSE WRITE TO MY FILES!!!
emphasis on how.

Please respond to my question

brandonschnell

if they're logged on via telnet:
"echo > /path/to/apache/web/files/yoursitename/password_file"

would wipe out your password file.

"HOW CAN THEY WRITE TO IT????" is not a simple question. its entirely dependent on what kind of operating system you're on and what the file permissions are.

another way would be to modify your example script to use local file paths and not URLs and all you would need is the path to the other users password file. just use basic windows/unix file system commands to browse files and look at script sources to get the location of the password file (ls/dir/cat/etc...).

give me another user account on your server and i'd be happy to show you how it can be done. =)

Anon

i have accounts on f2s.com, sign up for an account there and they'll give you a page in like 24 hours. Then I'll tell you my username and stuff so you can try and mess up my files, OK??

I challenge you 🙂

brandonschnell

i get the following error when i try to signup with f2s.com

http://www.f2s.com/free/free%20home.htm
Welcome to the Freedom To Surf signup page!

Sorry - Our free webservers are currently full.

The new installations started over the weekend are still on-going.
New signup requests are now expected to be ready on Wednesday, 2nd May.

Technical Services, Freedom To Surf

i'll try again later