Re: Deny Access To configuration file using php scripts

From: Server Administration (administrator_at_bluephyre.com)
Date: 03/05/05

  • Next message: Mohammed Salih: "Re: Deny Access To configuration file using php scripts" 
    Date: Sat, 05 Mar 2005 10:22:25 -0500
To: webadmin@grc.ae

    It does show up in phpinfo(), but if the SetEnv's are defined at the
    VirtualHost level (I am assuming Apache web server) then they are only
    accessible by that VirtualHost.

    If a malicious user can get *your* VirtualHost to execute phpinfo(),
    then you have other, arguably more critical, security issues.

    CSH

    Mohammed Salih wrote:
    > Does it show up if some one uses - phpinfo() or some other means to
    > print the environment values.
    >
    > administrator@bluephyre.ca wrote:
    >
    >>I'm late joining this thread, so I apologize if someone has already
    >>suggested this, but try putting this in the VirtualHost configuration
    >>file:
    >>
    >>SetEnv DB_USER "myuser"
    >>SetEnv DB_PASS "mypass"
    >>
    >>Now you can use $_SERVER['DB_USER'] and $_SERVER['DB_PASS'] in
    >>your code. This way the values are available to your virtual host only,
    >>and presumably your httpd.conf file in only readable by root.
    >>
    >>CSH
    >>
    >>
    >>
    >>>
    >>>
    >>>>-----Original Message-----
    >>>>From: Suramya Tomar [mailto:security@suramya.com]
    >>>>Sent: Wednesday, 2 March 2005 9:59 AM
    >>>>To: raT
    >>>>Cc: focus-linux@securityfocus.com
    >>>>Subject: Re: Deny Access To configuration file using php scripts
    >>>>
    >>>>Hi,
    >>>>
    >>>>
    >>>>
    >>>>>Hello i have a web server and i have a major problem
    >>>>>some of my users are trying to find my pass for my mysql database.
    >>>>>
    >>>>>
    >>>>My first suggestion would be to warn these users that this is not
    >>>>allowed and ban them from the system if they persist.
    >>>>
    >>>>
    >>>>
    >>>>>the first thing they do is a
    >>>>>system ('cat /var/www/path to config file');
    >>>>>inside a php script
    >>>>>
    >>>>>
    >>>>There are a couple of things you can try, First you can use apache
    >>>>directives to deny access to the file. To do that add the
    >>>>following text
    >>>>to the httpd.conf file:
    >>>>
    >>>><Files ~ "\.inc$">
    >>>> Order allow, deny
    >>>> Deny from all
    >>>></Files>
    >>>>
    >>>>
    >>>While that may stop the web-server from server the files up, it would
    >>>not stop a php script from accessing the files.
    >>>
    >>>I'm not sure that this can easily be solved. If the file needs to be
    >>>readable by apache, then it can also be read by any other process
    >>>running as the same user as apache, which would be every php script.
    >>>
    >>>If you are using virtual hosts, then you may be able to solve the
    >>>problem using apaches per-user virtual-host configuration. This allows
    >>>scripts to run as someone other than 'nobody' (or whoever apache is
    >>>running as).
    >>>
    >>>
    >>>
    >>>>This would prevent all files with the .inc extension from
    >>>>being viewed
    >>>>via the web.
    >>>>
    >>>>The second thing I would suggest is to disable access to the system()
    >>>>
    >>>>
    >>>They could also use functions like fopen(), require(), include(), etc to
    >>>read the files.
    >>>
    >>>
    >>>
    >>>>function unless you really really need it. You can do that in the
    >>>>php.ini file by using the disable_functions directive. It
    >>>>allows you to
    >>>>define a comma-delimited list of functions to be disabled within PHP.
    >>>>(http://www.onlamp.com/pub/a/php/2001/02/15/php_admin.html)
    >>>>
    >>>>Hope this helps.
    >>>>
    >>>>- Suramya
    >>>>
    >>>>--
    >>>>----------------------------------------------------------
    >>>>Some days you're the dog; some days you're the hydrant.
    >>>>----------------------------------------------------------
    >>>>Name : Suramya Tomar
    >>>>Homepage URL: http://www.suramya.com
    >>>>-------------------------------------------------
    >>>>
    >>>>************************************************************
    >>>>Disclaimer:
    >>>>Any errors in spelling, tact, or fact are transmission errors.
    >>>>************************************************************
    >>>>
    >>>>
    >>>>
    >>
    >>
    >>
    >>
    >>
    >

  • Next message: Mohammed Salih: "Re: Deny Access To configuration file using php scripts"