Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

php security hole? 2

Status
Not open for further replies.
Guest_imported

Guest_imported

New member
Jan 1, 1970
0
Look, when we want to connect to a SQL server, we store
the username and password in that php file at the location
/home/yourusername/That php file is readable to all. But Apache will not parse it b4 sending to the visitor. So it is secure in this sense. But think about it!, if another user in that computer just type:
more /home/yourusername/he can view your password!
 
That is one of the biggest problems with a default install of PHP at an ISP, especially for sysadmins who don't read the manual :-(. It is not a PHP security hole at all, though, because the PHP developers long ago devised a way to deal with this. This problem can be easily fixed, if the ISP takes just a few changes to the php.ini configuration, for example:

safe_mode = On
doc_root = /usr/local/apache/htdocs
user_dir = public_html

(Assuming PHP is running as an Apache module) this would prevent scripts running in a user's directory from opening files outside of that user's directory, and it would prevent all PHP scripts in general from opening files in other locations on the server. In this example, you would have the user's directory in the traditional Unix "/home/username/public_html" location and would just use Apache virtual hosting to resolve that to the domain name. There are more security steps that can be taken, if you look at the following:


I would recommend you ask your hosting company if they have taken this type of precaution, and if not, either demand it of them, or switch to an ISP that does.

Now the issue of users actually having shell access on the system and manually browsing other users' files should be dealt with using standard Unix user/group security measures. It should be no problem to allow a user's files to be read by Apache user "nobody", but not by other users in the system. Also, all of this will be less trouble once ACLs are standardized in Unix systems (FreeBSD version 5 will have Access Control Lists built in, and I believe there is work underway to do this in Linux also).
 
Status
Not open for further replies.

Similar threads

cdlvj
  • Question
PHP Debugging
Replies
0
Views
97
cdlvj
cdlvj
SashaBuilder3
  • Locked
  • Question
import CSV file into MySql table in PhpMyAdmin
Replies
0
Views
365
SashaBuilder3
SashaBuilder3
PeDa
  • Locked
  • Question
Unwanted spaces in php HTML mail 1
Replies
4
Views
305
PeDa
PeDa
Mandy_crw
  • Locked
  • Question
How to send sms in PHP using usb gsm modem?
Replies
1
Views
326
vishvajit
vishvajit
lflynnlrf
  • Locked
  • Question
wordpress/ shortcode/ PHP duplicating code
Replies
1
Views
157
spamjim
spamjim

Part and Inventory Search

Sponsor

Back
Top