Re: Deny Access To configuration file using php scripts

From: Mohammed Salih (webadmin_at_grc.ae)
Date: 03/05/05

  • Next message: Anton Titov: "Re: Deny Access To configuration file using php scripts" 
    Date: Sat, 05 Mar 2005 09:27:31 +0400
To: focus-linux@securityfocus.com

    Does it show up if some one uses - phpinfo() or some thing which can
    print the environment variables.
    administrator@bluephyre.ca wrote:

    >I'm late joining this thread, so I apologize if someone has already
    >suggested this, but try putting this in the VirtualHost configuration
    >file:
    >
    >SetEnv DB_USER "myuser"
    >SetEnv DB_PASS "mypass"
    >
    >Now you can use $_SERVER['DB_USER'] and $_SERVER['DB_PASS'] in
    >your code. This way the values are available to your virtual host only,
    >and presumably your httpd.conf file in only readable by root.
    >
    >CSH
    >
    >
    >
    >>
    >>
    >>>-----Original Message-----
    >>>From: Suramya Tomar [mailto:security@suramya.com]
    >>>Sent: Wednesday, 2 March 2005 9:59 AM
    >>>To: raT
    >>>Cc: focus-linux@securityfocus.com
    >>>Subject: Re: Deny Access To configuration file using php scripts
    >>>
    >>>Hi,
    >>>
    >>>
    >>>
    >>>>Hello i have a web server and i have a major problem
    >>>>some of my users are trying to find my pass for my mysql database.
    >>>>
    >>>>
    >>>My first suggestion would be to warn these users that this is not
    >>>allowed and ban them from the system if they persist.
    >>>
    >>>
    >>>
    >>>>the first thing they do is a
    >>>>system ('cat /var/www/path to config file');
    >>>>inside a php script
    >>>>
    >>>>
    >>>There are a couple of things you can try, First you can use apache
    >>>directives to deny access to the file. To do that add the
    >>>following text
    >>>to the httpd.conf file:
    >>>
    >>><Files ~ "\.inc$">
    >>> Order allow, deny
    >>> Deny from all
    >>></Files>
    >>>
    >>>
    >>While that may stop the web-server from server the files up, it would
    >>not stop a php script from accessing the files.
    >>
    >>I'm not sure that this can easily be solved. If the file needs to be
    >>readable by apache, then it can also be read by any other process
    >>running as the same user as apache, which would be every php script.
    >>
    >>If you are using virtual hosts, then you may be able to solve the
    >>problem using apaches per-user virtual-host configuration. This allows
    >>scripts to run as someone other than 'nobody' (or whoever apache is
    >>running as).
    >>
    >>
    >>
    >>>This would prevent all files with the .inc extension from
    >>>being viewed
    >>>via the web.
    >>>
    >>>The second thing I would suggest is to disable access to the system()
    >>>
    >>>
    >>They could also use functions like fopen(), require(), include(), etc to
    >>read the files.
    >>
    >>
    >>
    >>>function unless you really really need it. You can do that in the
    >>>php.ini file by using the disable_functions directive. It
    >>>allows you to
    >>>define a comma-delimited list of functions to be disabled within PHP.
    >>>(http://www.onlamp.com/pub/a/php/2001/02/15/php_admin.html)
    >>>
    >>>Hope this helps.
    >>>
    >>>- Suramya
    >>>
    >>>--
    >>>----------------------------------------------------------
    >>>Some days you're the dog; some days you're the hydrant.
    >>>----------------------------------------------------------
    >>>Name : Suramya Tomar
    >>>Homepage URL: http://www.suramya.com
    >>>-------------------------------------------------
    >>>
    >>>************************************************************
    >>>Disclaimer:
    >>>Any errors in spelling, tact, or fact are transmission errors.
    >>>************************************************************
    >>>
    >>>
    >>>
    >
    >
    >
    >
    >

  • Next message: Anton Titov: "Re: Deny Access To configuration file using php scripts"

    Relevant Pages

    • Re: Apache2 Manhattan Virtual Classroom
      ... community-based or community-supported distro. ... hiring a Debian consultant. ... You mention creating the virtual host configuration, ... output that shows the requests and how Apache is answering them. ...
      (Debian-User)
    • Re: [opensuse] (Strange) Apache Virtual Host Behaviour
      ... suse-specific sysconfig is a suse customization of apache, not a normal part of apache you can expect to find on any apache host = not portable ... IF you use the sysconfig file, and IF you use that feature to specify all files that live in some separate place that is brainless for you to back up, that is valuable. ... Then your entire setup would be brainless to backup and/or copy to another host just by grabbing /etc/sysconfig/apache2 and the single directory tree where you have all your *.conf files and htdocs and cgi-bin etc. ... I got the whole thing sorted out by putting all the Virtual Host ...
      (SuSE)
    • Re: Problem to have mod_auth_kerb to work
      ... apache but not for the virtual host. ... the kind of debug statement I get from apache: ... Integrated Windows Authentication was already ticked. ...
      (comp.protocols.kerberos)
    • Re: [opensuse] (Strange) Apache Virtual Host Behaviour
      ... So, I setup Apache on my OpenSUSE 11.4 server at home, wanting to ... Ok, now, I add another Virtual Host, host2.domain.tld, and things start ... Since this is a home setup, it's not really that important, but it is ... # define a default do-nothing "vhost" before including any possible config files ...
      (SuSE)
    • Re: Apache and multiple Virtual Hosts best practices
      ... > I have an Apache web server with a few virtual hosts. ... If so your users can write scripts to bypass your proftp ... the same set of dirs that your proftpd users can write too. ... In a virtual host world different virtual host users can install ...
      (Fedora)