Re: Deny Access To configuration file using php scripts

From: Mohammed Salih (webadmin_at_grc.ae)
Date: 03/05/05

  • Next message: Anton Titov: "Re: Deny Access To configuration file using php scripts"
    Date: Sat, 05 Mar 2005 09:27:31 +0400
    To: focus-linux@securityfocus.com
    
    

    Does it show up if some one uses - phpinfo() or some thing which can
    print the environment variables.
    administrator@bluephyre.ca wrote:

    >I'm late joining this thread, so I apologize if someone has already
    >suggested this, but try putting this in the VirtualHost configuration
    >file:
    >
    >SetEnv DB_USER "myuser"
    >SetEnv DB_PASS "mypass"
    >
    >Now you can use $_SERVER['DB_USER'] and $_SERVER['DB_PASS'] in
    >your code. This way the values are available to your virtual host only,
    >and presumably your httpd.conf file in only readable by root.
    >
    >CSH
    >
    >
    >
    >>
    >>
    >>>-----Original Message-----
    >>>From: Suramya Tomar [mailto:security@suramya.com]
    >>>Sent: Wednesday, 2 March 2005 9:59 AM
    >>>To: raT
    >>>Cc: focus-linux@securityfocus.com
    >>>Subject: Re: Deny Access To configuration file using php scripts
    >>>
    >>>Hi,
    >>>
    >>>
    >>>
    >>>>Hello i have a web server and i have a major problem
    >>>>some of my users are trying to find my pass for my mysql database.
    >>>>
    >>>>
    >>>My first suggestion would be to warn these users that this is not
    >>>allowed and ban them from the system if they persist.
    >>>
    >>>
    >>>
    >>>>the first thing they do is a
    >>>>system ('cat /var/www/path to config file');
    >>>>inside a php script
    >>>>
    >>>>
    >>>There are a couple of things you can try, First you can use apache
    >>>directives to deny access to the file. To do that add the
    >>>following text
    >>>to the httpd.conf file:
    >>>
    >>><Files ~ "\.inc$">
    >>> Order allow, deny
    >>> Deny from all
    >>></Files>
    >>>
    >>>
    >>While that may stop the web-server from server the files up, it would
    >>not stop a php script from accessing the files.
    >>
    >>I'm not sure that this can easily be solved. If the file needs to be
    >>readable by apache, then it can also be read by any other process
    >>running as the same user as apache, which would be every php script.
    >>
    >>If you are using virtual hosts, then you may be able to solve the
    >>problem using apaches per-user virtual-host configuration. This allows
    >>scripts to run as someone other than 'nobody' (or whoever apache is
    >>running as).
    >>
    >>
    >>
    >>>This would prevent all files with the .inc extension from
    >>>being viewed
    >>>via the web.
    >>>
    >>>The second thing I would suggest is to disable access to the system()
    >>>
    >>>
    >>They could also use functions like fopen(), require(), include(), etc to
    >>read the files.
    >>
    >>
    >>
    >>>function unless you really really need it. You can do that in the
    >>>php.ini file by using the disable_functions directive. It
    >>>allows you to
    >>>define a comma-delimited list of functions to be disabled within PHP.
    >>>(http://www.onlamp.com/pub/a/php/2001/02/15/php_admin.html)
    >>>
    >>>Hope this helps.
    >>>
    >>>- Suramya
    >>>
    >>>--
    >>>----------------------------------------------------------
    >>>Some days you're the dog; some days you're the hydrant.
    >>>----------------------------------------------------------
    >>>Name : Suramya Tomar
    >>>Homepage URL: http://www.suramya.com
    >>>-------------------------------------------------
    >>>
    >>>************************************************************
    >>>Disclaimer:
    >>>Any errors in spelling, tact, or fact are transmission errors.
    >>>************************************************************
    >>>
    >>>
    >>>
    >
    >
    >
    >
    >


  • Next message: Anton Titov: "Re: Deny Access To configuration file using php scripts"