Re: Deny Access To configuration file using php scripts

From: Igor Plisco (igor_at_plisco.ru)
Date: 03/02/05

  • Next message: administrator_at_bluephyre.ca: "RE: Deny Access To configuration file using php scripts"
    Date: Wed, 02 Mar 2005 16:27:46 +0300
    To: raT <ratmole@gmail.com>
    
    

    Ones upon a time raT shaped electrons to tell:

    > some of my users are trying to find my pass for my mysql database.
    >
    > the first thing they do is a
    > system ('cat /var/www/path to config file');
    > inside a php script

    Remember that there is another possibility to read the file. It works
    even under suExec user environment, if 1) your site works under user
    nobody (or www in some configurations), 2) the file with mysql password
    is placed on the same partition with user homes.

    Suppose you have the file mysql_passwd containing MySQL password with
    following permissions:

    $ ls -l mysql_passwd

    -r-------- 1 nobody nobody 1234 Feb 25 19:17 mysql_passwd

    The user, say, user1, cann't read file content neither from shell nor
    from hist chi-bin scripts 9in suExec environment). But he can execute
    following command in his shell or cgi-bin:

    user1$ ln mysql_passwd ~/public_html/a.html

    In his browser he opens the page:

    http://example.com/~user1/a.html

    and voila!

    Solution:

    Run your server in suExec environment under special user account not
    equal to 'nobody'.

    Best regards,

    Igor Plisco


  • Next message: administrator_at_bluephyre.ca: "RE: Deny Access To configuration file using php scripts"

    Relevant Pages

    • Re: Problem installing collabtive on LAMP server
      ... Chris wrote: ... /var/www/anotherfile.php' show from a shell? ... "PHP script text" ... blog -> http://perceptionistruth.com/ ...
      (uk.comp.os.linux)
    • Re: Problem installing collabtive on LAMP server
      ... Tony wrote: ... /var/www/anotherfile.php' show from a shell? ... "PHP script text" ... It's only a localhost install in VM. ...
      (uk.comp.os.linux)
    • Re: Form results not showing
      ... > Shell wrote: ... What I have is a test html page on my local server which basically ... just has a form, to enter your name, age and some comments etc. ... This is the method used to send the details to my php script (which is ...
      (alt.php)
    • Re: Timer
      ... or execute the php script from unix shell? ... I think its better use the wget command instead of running from unix ... And yes, you can easily execute a PHP script from the shell - or, in Windows, the command line. ...
      (comp.lang.php)