Important security problem for PHP output

[Germaris]

I use a Flash File in connection with a MySQL DB via various PHP Scripts.
Everything runs fine.
My Scripts have an 'include' Function which use a PHP containing the Login Parameters to have access to the DB.

Safari (MacOS X) has an "Activity" Window in which are displayed all the PHP Paths in full !!!

So, what's the problem?
If you enter in your browser one those links you simply get all the results of the search made by the Script because the path is not hidden as it was when called from the Flash File as source of the query.

This is for me a very big problem of security and confidentiality.

Solution will be PHP crypting the results, then sending them to the Flash File and have the results decrypted inside the Flash File before displayed.

Is there someone who could help me to solve this problem?
Many thanks in advance for any answer.

Contact: gm[at]germaris.com
My motto: "Simple is Best

 

[DRJ478]

You should keep the include files outside your DOCUMENT ROOT for the web server. That way they cannot be included via HTTP, only on the file system level. No encryption is needed.

Obscurity is not security. You can't depend on the fact that something is not exposed. Put it somwhere where it is not Web accessible. It's pretty simple.

 

[Germaris]

I want to thank you both for your answers.

Of course, a newbie like me is experiencing difficulties to set up the solution DRJ478 proposed.

Let me explain.

The path of my .swf is (fake sample paths):

http://www.mydomain.com/~mySUBdomain/myFile.swf

Until then, I have all my PHPs (and the include file TOO) located at the same place i.e. for example:

http://www.mydomain.com/~mySUBdomain/key.php

http://www.mydomain.com/~mySUBdomain/search.php

(which looks in key.php for $host=localhost, $user=XXXXX, $pass=YYYYY, and $db= database_name)
and so on for all the other PHPs.

I have a 'cgi-bin' folder located at: /usr/local/psa/home/vhosts/mydomain.com/cgi-bin

I wish to use this 'cgi-bin' folder which is not accessible for everyone, but guess what? When I call from the .swf a PHP located in this folder, for example: /usr/local/psa/home/vhosts/mydomain.com/cgi-bin/search.php I get an error message: "Unable to execute /usr/local/psa/home/vhosts/mydomain.com/cgi-bin/search.php: Permission denied." despite the fact the 'key.php' is also located in this folder...

I really don't know how to make this working.
Any idea?

Thanks again for the time spent in helping me!

Contact: gm[at]germaris.com
My motto: "Simple is Best

 

[DRJ478]

The SWF file runs on the client, right?

Only PHP - which runs on the server - should be able to include the file with the db connection information.

I recommend:
a) create something like
/usr/local/psa/home/includes/
and stick the db connection parameters in there

b) have your PHP files include the connection params:
require('/usr/local/psa/home/includes/dbconnect.php');

You have to make sure that the user under which the web server runs has read access to /usr/local/psa/home/include/.

Ok?

 

[Germaris]

The SWF file runs on the client, right? OF COURSE!

Only PHP - which runs on the server - should be able to include the file with the db connection information. OF COURSE TOO!

And it is exactly what I've done.
Maybe I haven't described the structure very well.
Excuse me, but I am French and maybe that's the problem...

What do you mean by "...user under which the web server runs has read access to ..."?

I am the administrator and I have full access to the 'include' folder (instead of it, I actually use the existing 'cgi-bin' folder to put my PHPs in, because my hosting provider doesn't allow me to create any folder above the httpdocs level).

If, when you write 'the user' you mean 'the client', he/she hasn't read access to the 'include' folder as, by definition, this folder cannot be read from an HTML page...

Sorry to bother you so much. I think I'm a true pain in the........ !!!


Contact: gm[at]germaris.com
My motto: "Simple is Best

 

[DRJ478]

No.
The web server (e.g. Apache) is started running as a user (e.g. nobody). It runs with the privileges of that 'user' User here is the system user on the server.
In order to include the files from the cgi-bin folder the permissions there must be set that that web sever user can read the file. This can be done by making the file readable by all, or by assigning a group that the web server user belongs to, or last (and not advisable) by changing the ownership of the file to the web server.

I'd protect the cgi-bin folder against web access via a .htaccess file (deny from all). Then only file system access is possible. In that scenario changing the permissions (e.g. UNIX type systems: chmod a+r *.php) will allow any user (system user that is) to read the files.

Est-ce-que tu comprends?

 

[Germaris]

Oui, un peu.

In my "cgi-bin' folder (permissions: drwxr-xr-x), I have an .htaccess file (permissions: -rwxr-xr-x) which content is: Deny from all.
In this "cgi-bin' folder I uploaded all my PHPs Scripts and particularly the 'include' PHP File which contains the four required parameters ($host, $user, $pass, and $db) in order to allow the other PHP Scripts to use the MySQL DB.

I think that the set up is OK, right?

So, I don't understand why requests sent from the .swf to these PHPs fail...

PS: You're very very patient with the old man! Thanks.

Contact: gm[at]germaris.com
My motto: "Simple is Best

 

[DRJ478]

The files that include the 'hidden' include data need to be in a different folder than cgi-bin.

Here's a map:

/cgi-bin/mysql.inc.php [non public, no HTTP access]
/app/search.php

search.php looks like this:
<?php
require('../cgi-bin/mysql.inc.php');
# etc.

Now, if your Web-server is setup correctly then everything that has .php in the end should be parsed. I would not just rely on that - that's why the 'deny from all' .htaccess is put into the cgi-bin.
Since deny from all cuts out all HTTP access to that folder the PHP that is called from the swf needs to be somewhere else.

Do you get any error messages now?