Re: Deny Access To configuration file using php scripts

• Previous message: Jan Urbancik: "Re: Deny Access To configuration file using php scripts"
• In reply to: raT: "Deny Access To configuration file using php scripts"
• Next in thread: Server Administration: "Re: Deny Access To configuration file using php scripts"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 02 Mar 2005 16:27:46 +0300
To: raT <ratmole@gmail.com>

Ones upon a time raT shaped electrons to tell:

> some of my users are trying to find my pass for my mysql database.
>
> the first thing they do is a
> system ('cat /var/www/path to config file');
> inside a php script

Remember that there is another possibility to read the file. It works
even under suExec user environment, if 1) your site works under user
nobody (or www in some configurations), 2) the file with mysql password
is placed on the same partition with user homes.

Suppose you have the file mysql_passwd containing MySQL password with
following permissions:

$ ls -l mysql_passwd

-r-------- 1 nobody nobody 1234 Feb 25 19:17 mysql_passwd

The user, say, user1, cann't read file content neither from shell nor
from hist chi-bin scripts 9in suExec environment). But he can execute
following command in his shell or cgi-bin:

user1$ ln mysql_passwd ~/public_html/a.html

In his browser he opens the page:

http://example.com/~user1/a.html

and voila!

Solution:

Run your server in suExec environment under special user account not
equal to 'nobody'.

Best regards,

Igor Plisco

• Previous message: Jan Urbancik: "Re: Deny Access To configuration file using php scripts"
• In reply to: raT: "Deny Access To configuration file using php scripts"
• Next in thread: Server Administration: "Re: Deny Access To configuration file using php scripts"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]