Re: [PHP] PHP shell commands
On Thu, January 10, 2008 9:15 pm, Lucas Prado Melo wrote: Some php applications store database passwords into files which can be read by the user www-data. So, a malicious user which can write php scripts could read those passwords. What should I do to prevent users from viewing those passwords? Get a dedicated box and don't have any untrusted users on it. There really is no other solution: If PHP can read the password to use it, then PHP can read the password to use it, and the other user that can run PHP can do that. Actually, somebody COULD set up a shared server with enough un-shared resources, including a different set of HTTP children for each user, and make this work, but it's a lot easier to find an affordable dedicated server host than to dig into the details of every webhost package. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP shell commands
On Jan 12, 2008 4:12 AM, Andrés Robinet [EMAIL PROTECTED] wrote: I guess what you are looking for is mod_suphp. STFW or ask the list, someone will give you good hints for sure (sorry, have little time right now). Rob Thanks, I will take a look. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] PHP shell commands
Hi Lucas, This is it http://www.suphp.org/Home.html. However, please bear in mind that you may have some headaches after installing it. Some webmail scripts may break, as well as existing websites, so you'd better off researching what are the possible drawbacks. My recommendation would be that if you work with a panel (Plesk, cPanel, DirectAdmin, etc) you go to the panel's forums, because chances are high that someone has already built a script to do the job for you, and you'll also get answers to your questions before you run into trouble. Also, I think there was a way of installing both PHP 4 and 5, one as CGI (required by suPHP) and the other one as CLI so you could get the regular PHP behaviour by setting up the corresponding VirtualHost. For owr own domains we use PHP CLI only, as we control the code from top to bottom, but for shared hosting, suPHP is recommended despite of the headaches (mostly to your customers' poor PHP code, but in the end to your support department)... though many hosting providers, just don't care and run the risk (suPHP is not very old anyway). Regards, Rob Andrés Robinet | Lead Developer | BESTPLACE CORPORATION 5100 Bayview Drive 206, Royal Lauderdale Landings, Fort Lauderdale, FL 33308 | TEL 954-607-4207 | FAX 954-337-2695 Email: [EMAIL PROTECTED] | MSN Chat: [EMAIL PROTECTED] | SKYPE: bestplace | Web: http://www.bestplace.biz | Web: http://www.seo-diy.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas Prado Melo Sent: Saturday, January 12, 2008 8:50 AM To: Andrés Robinet Cc: php-general@lists.php.net Subject: Re: [PHP] PHP shell commands On Jan 12, 2008 4:12 AM, Andrés Robinet [EMAIL PROTECTED] wrote: I guess what you are looking for is mod_suphp. STFW or ask the list, someone will give you good hints for sure (sorry, have little time right now). Rob Thanks, I will take a look. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP shell commands
Suppose we were using apache webserver. I think obfuscation won't work since with some work a user could read the password. How to encrypt/decrypt the password? On Jan 11, 2008 3:37 AM, Chris [EMAIL PROTECTED] wrote: Not too much really. The webserver needs to be able to read a config file. You could obfuscate the fields/entries or encrypt them somehow, but it needs to be a two-way encryption (ie you're going to need to undo the encryption to be able to use the password). -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP shell commands
Some php applications store database passwords into files which can be read by the user www-data. So, a malicious user which can write php scripts could read those passwords. What should I do to prevent users from viewing those passwords? You could encode your file(s) using something like the Zend Encoder. This turns them into byte code IIRC, so it's hard (not totally impossible I think) to get the clear text. -- Richard Heyes http://www.websupportsolutions.co.uk Knowledge Base and HelpDesk software that can cut the cost of online support ** NOW OFFERING FREE ACCOUNTS TO CHARITIES AND NON-PROFITS ** -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP shell commands
Lucas Prado Melo wrote: Hello, Some php applications store database passwords into files which can be read by the user www-data. Why not keep them out of the web tree and inform the application regarding the same. I am sure almost all good applications would provide a simple way for doing it. So, a malicious user which can write php scripts could read those passwords. What should I do to prevent users from viewing those passwords? I am not sure I understand this. Do you mean the attacker would upload scripts and execute them to read th config files? If yes then that's a different problem altogether. regards Regards, Bipin Upadhyay. http://projectbee.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP shell commands
Daniel Brown wrote: [SNIPPED] Just keep in mind that anything that can be accessed by any means is never going to be 100% secure. I like the the line :) --Bipin Upadhyay, http://projectbee.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP shell commands
On Jan 11, 2008 6:58 AM, Lucas Prado Melo [EMAIL PROTECTED] wrote: On Jan 11, 2008 9:33 AM, Bipin Upadhyay [EMAIL PROTECTED] wrote: Lucas Prado Melo wrote: Hello, Some php applications store database passwords into files which can be read by the user www-data. Why not keep them out of the web tree and inform the application regarding the same. I am sure almost all good applications would provide a simple way for doing it. So, a malicious user which can write php scripts could read those passwords. What should I do to prevent users from viewing those passwords? I am not sure I understand this. Do you mean the attacker would upload scripts and execute them to read th config files? If yes then that's a different problem altogether. Yes, I mean so. Make sure you change the permissions on the directory in which uploads are saved to be non-readable by anyone (including yourself, in case the scripts are suexec'd). For example, if the directory in which you save uploaded files is uploads/ then just do this (on a *nix box): chmod 300 uploads That way, files can still be saved to the directory (which requires write and execute privileges), but the files cannot be read or executed via the web, and directory listing is implicitly denied for all protocols (and local access) to anyone except root. To best-protect your configuration scripts, though, always place them outside of the web-accessible directories (for example, /home/user/config/) and include them properly. Also, make sure they are read-only (chmod 400, or chmod 444 if not using suexec). Beyond that, code obfuscation using Zend Optimizer (as was suggested) or an alternative would be your best bet. Just keep in mind that anything that can be accessed by any means is never going to be 100% secure. -- /Dan Daniel P. Brown Senior Unix Geek and #1 Rated Year's Coolest Guy By Self Since Nineteen-Seventy-[mumble]. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP shell commands
On Jan 11, 2008 9:33 AM, Bipin Upadhyay [EMAIL PROTECTED] wrote: Lucas Prado Melo wrote: Hello, Some php applications store database passwords into files which can be read by the user www-data. Why not keep them out of the web tree and inform the application regarding the same. I am sure almost all good applications would provide a simple way for doing it. So, a malicious user which can write php scripts could read those passwords. What should I do to prevent users from viewing those passwords? I am not sure I understand this. Do you mean the attacker would upload scripts and execute them to read th config files? If yes then that's a different problem altogether. Yes, I mean so. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP shell commands
On Jan 11, 2008 2:16 PM, Daniel Brown [EMAIL PROTECTED] wrote: Make sure you change the permissions on the directory in which uploads are saved to be non-readable by anyone (including yourself, in case the scripts are suexec'd). For example, if the directory in which you save uploaded files is uploads/ then just do this (on a *nix box): chmod 300 uploads That way, files can still be saved to the directory (which requires write and execute privileges), but the files cannot be read or executed via the web, and directory listing is implicitly denied for all protocols (and local access) to anyone except root. The uploaded scripts must be executed via the web because it's a host... Maybe we could prevent scripts from certain folders to see other folders... (chroot?) Do you know how to do it in apache? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP shell commands
To fix this scenerio, chroot would require different apache processes running under different users. On Jan 11, 2008 3:46 PM, Lucas Prado Melo [EMAIL PROTECTED] wrote: On Jan 11, 2008 2:16 PM, Daniel Brown [EMAIL PROTECTED] wrote: Make sure you change the permissions on the directory in which uploads are saved to be non-readable by anyone (including yourself, in case the scripts are suexec'd). For example, if the directory in which you save uploaded files is uploads/ then just do this (on a *nix box): chmod 300 uploads That way, files can still be saved to the directory (which requires write and execute privileges), but the files cannot be read or executed via the web, and directory listing is implicitly denied for all protocols (and local access) to anyone except root. The uploaded scripts must be executed via the web because it's a host... Maybe we could prevent scripts from certain folders to see other folders... (chroot?) Do you know how to do it in apache? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP shell commands
Where should I look for further help about mod_php? How do I beg to someone add a feature in mod_php? On Jan 11, 2008 8:00 PM, Nate Tallman [EMAIL PROTECTED] wrote: To fix this scenerio, chroot would require different apache processes running under different users. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP shell commands
Lucas Prado Melo wrote: Where should I look for further help about mod_php? How do I beg to someone add a feature in mod_php? On Jan 11, 2008 8:00 PM, Nate Tallman [EMAIL PROTECTED] wrote: To fix this scenerio, chroot would require different apache processes running under different users. What feature would you think about adding to it? -- Jim Lucas Some men are born to greatness, some achieve greatness, and some have greatness thrust upon them. Twelfth Night, Act II, Scene V by William Shakespeare -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP shell commands
On Jan 11, 2008 9:28 PM, Jim Lucas [EMAIL PROTECTED] wrote: What feature would you think about adding to it? I think we should be able to set (editing httpd.conf in apache) which folders are visible to any php script (including shell commands written in it). So, we could use Directory tags and set different rules to different sets of files. What do you think about it? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] PHP shell commands
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas Prado Melo Sent: Friday, January 11, 2008 8:50 PM To: Jim Lucas Cc: php-general@lists.php.net Subject: Re: [PHP] PHP shell commands On Jan 11, 2008 9:28 PM, Jim Lucas [EMAIL PROTECTED] wrote: What feature would you think about adding to it? I think we should be able to set (editing httpd.conf in apache) which folders are visible to any php script (including shell commands written in it). So, we could use Directory tags and set different rules to different sets of files. What do you think about it? I guess what you are looking for is mod_suphp. STFW or ask the list, someone will give you good hints for sure (sorry, have little time right now). Rob Andrés Robinet | Lead Developer | BESTPLACE CORPORATION 5100 Bayview Drive 206, Royal Lauderdale Landings, Fort Lauderdale, FL 33308 | TEL 954-607-4207 | FAX 954-337-2695 Email: [EMAIL PROTECTED] | MSN Chat: [EMAIL PROTECTED] | SKYPE: bestplace | Web: http://www.bestplace.biz | Web: http://www.seo-diy.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] PHP shell commands
Hello, Some php applications store database passwords into files which can be read by the user www-data. So, a malicious user which can write php scripts could read those passwords. What should I do to prevent users from viewing those passwords? regards -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP shell commands
Lucas Prado Melo wrote: Hello, Some php applications store database passwords into files which can be read by the user www-data. So, a malicious user which can write php scripts could read those passwords. What should I do to prevent users from viewing those passwords? Not too much really. The webserver needs to be able to read a config file. You could obfuscate the fields/entries or encrypt them somehow, but it needs to be a two-way encryption (ie you're going to need to undo the encryption to be able to use the password). -- Postgresql php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php