RE: [PHP] Security problem?

2002-06-26 Thread John Holmes

> On Tuesday, June 25, 2002, at 08:26  PM, Analysis & Solutions wrote:
> 
> > I usually run PHP as CGI.  My secure files are kept in a directory
> > that's
> > not under the */docroot.  Thus, they can't be gotten to through the
web
> > server at all.  Plus, the secure files are chmoded 600 (which means
they
> > can be read/written only by the owner).  Thereby, the only user on
the
> > server who can read them is me.
> 
> Tradeoff, huh?  If I understand it correctly, you can't keep the files
> outside the docroot if you're using mod_php b/c the web server itself
is
> what fetches the file (therefore it needs to be in the docroot).  But
> mod_php is faster than CGI PHP and can handle more simultaneous
> requests.  Right?

Yes you can. Apache can read any file it has access to. 

Include('/home/user/includes/myfile.php');

Works just as well as

Include('/home/user/www/includes/myfile.php');

Where /home/user/www is your web root.

---John Holmes...


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] Security problem?

2002-06-26 Thread Erik Price


On Tuesday, June 25, 2002, at 08:26  PM, Analysis & Solutions wrote:

> I usually run PHP as CGI.  My secure files are kept in a directory 
> that's
> not under the */docroot.  Thus, they can't be gotten to through the web
> server at all.  Plus, the secure files are chmoded 600 (which means they
> can be read/written only by the owner).  Thereby, the only user on the
> server who can read them is me.

Tradeoff, huh?  If I understand it correctly, you can't keep the files 
outside the docroot if you're using mod_php b/c the web server itself is 
what fetches the file (therefore it needs to be in the docroot).  But 
mod_php is faster than CGI PHP and can handle more simultaneous 
requests.  Right?


Erik





Erik Price
Web Developer Temp
Media Lab, H.H. Brown
[EMAIL PROTECTED]


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] Security problem?

2002-06-25 Thread 1LT John W. Holmes

> On Tuesday, June 25, 2002, at 03:46  PM, Peter wrote:
>
> > When you have the standard
> >
> > $link = mysql_connect("localhost","username","secretpassword");
> >
> > Would it not be possible for someone to use PHP from another server to
> > download your source and find out your MySQL details including password?
>
> Yes.  If they have access to the source, they can see these values.  If
> they don't have some way of seeing those files, though, they won't be
> able to do it.
>
> For this reason it is a good idea to make sure that no one except you
> and the user that the webserver runs as can read your files.  For
> instance, all my files are actually readable to all (their mode is 644),
> except for one.  This one file is readable only to me and members the
> "apache" group, and it contains all of the database connection
> parameters.  Of course, the only member of the "apache" group is the
> "apache" user that the web server runs as, so no one else will be
> reading this file.

And make sure PHP is in safe mode. Otherwise, on a virtual server, with many
users, I can write a php script that does this:

$fp = fopen("/path/to/your/htdocs/html/config.inc","r");

And read through your file. Since my script is running as apache, and apache
has access to your file, it'll work. That's why you run in safe mode, as I
understand it, at least.

If you run a dedicated server, then you're fine, you just have to keep
people from getting into your machine.

> Also I have a directive that prevents Apache from serving any file with
> ".inc" suffix, and this file does, so Apache (hopefully) won't serve
> this data to the world via port 80.

Or just name it with a php extension. Then the user won't receive anything,
either. I always name mine file.inc.php so something similar. Whatever you
do, make sure the source isn't sent by apache to the browser.

---John Holmes...


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] Security problem?

2002-06-25 Thread Erik Price


On Tuesday, June 25, 2002, at 03:46  PM, Peter wrote:

> When you have the standard
>
> $link = mysql_connect("localhost","username","secretpassword");
>
> Would it not be possible for someone to use PHP from another server to
> download your source and find out your MySQL details including password?

Yes.  If they have access to the source, they can see these values.  If 
they don't have some way of seeing those files, though, they won't be 
able to do it.

For this reason it is a good idea to make sure that no one except you 
and the user that the webserver runs as can read your files.  For 
instance, all my files are actually readable to all (their mode is 644), 
except for one.  This one file is readable only to me and members the 
"apache" group, and it contains all of the database connection 
parameters.  Of course, the only member of the "apache" group is the 
"apache" user that the web server runs as, so no one else will be 
reading this file.

It's a luxury of having root access on my server, since this is pretty 
difficult to do without a root user (catch 22 -- how do you change the 
file to the "apache" group unless you are a member of the "apache" 
group, but if you are a member of the "apache" group then you can see 
all of the "protected" files in that group).

Also I have a directive that prevents Apache from serving any file with 
".inc" suffix, and this file does, so Apache (hopefully) won't serve 
this data to the world via port 80.



Erik





Erik Price
Web Developer Temp
Media Lab, H.H. Brown
[EMAIL PROTECTED]


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] Security problem?

2002-06-25 Thread Tyler Longren

No.  The only way they can get your source is by ftping or having shell
access to your server.  And even then, they'd have to have read perms on
your web folder/files.  If you were to have a lot of unknown people
jacking around on your server, you have a lot of other stuff to worry
about that who's gonna steal your mysql username/password.

They can't just say:
Download http://yoursite.com/file_with_good_info.php

and get the php-source, all they'd get is the HTML source.

-- 
Tyler Longren
Captain Jack Communications
[EMAIL PROTECTED]
www.captainjack.com



On Tue, 25 Jun 2002 20:46:04 +0100
"Peter" <[EMAIL PROTECTED]> wrote:

> When you have the standard
> 
> $link = mysql_connect("localhost","username","secretpassword");
> 
> Would it not be possible for someone to use PHP from another server to
> download your source and find out your MySQL details including
> password?
> 
> 
> 
> 
> -- 
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] Security problem, need help

2002-05-24 Thread Thalis A. Kalfigopoulos

Read 'Secure Programming in PHP':
http://www.zend.com/zend/art/art-oertli.php

cheers,
thalis


On Fri, 24 May 2002, Hawk wrote:

> I was checking around on a page I made, and I just noticed the lack of
> security, it is rather easy to gain admin status if you enter the right
> ?blabal=blablabla after the url, I need some help to make this secure, I
> tried with adding a name check to, but that didnt work since the
> ?user=blabla can be altered to.. help! :P
> 
> HÃ¥kan
> 
> 
> 
> -- 
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php