Closed Thread Icon

Topic awaiting preservation: Security Pages that link to <a href="https://ozoneasylum.com/backlink?for=12843" title="Pages that link to Topic awaiting preservation: Security" rel="nofollow" >Topic awaiting preservation: Security\

 
Author Thread
Moon Shadow
Paranoid (IV) Inmate

From: Rouen, France
Insane since: Jan 2003

posted posted 08-02-2003 16:43

Ok, I'm back from my hollidays. The break was nice, thanks, but now I'm back on the rails

I already have a question for PHP pros around here.

After reading a paper in The Hackademy (a French magazine about computer security) that evocated PHP holes, I wondered if my website was secure... And it appeared that it was absolutely not secure, I hacked it in 5 minutes. And *hum*, I don't want anybody to retrive my user/pass so easily and play with my account or deface my website.

I will tell you the hole in my website, and I hope nobody here here will use this for 'bad things'.

After examinating the index page, anybody can see that I include two PHP pages, one being my shoutbox. The Shoutbox need a mysql account, which is allowed on Free (my free host). I have to connect to the Free SQL server, log in and use my password to access the database. To achieve this, the Shoutbox includes a PHP config page, which contains my login and pass for this Free account. It means that if one follows the links on my website, one can find this PHP page with my settings and deface my website (for example).

I want to make it more secure. I'm not comfortable enough with PHP for now to know what to do exactly, if it is possible to "hide" those vars or anything else...

Ideas ?

Emperor
Maniac (V) Mad Scientist with Finglongers

From: Cell 53, East Wing
Insane since: Jul 2001

posted posted 08-02-2003 16:52

MS: For starters see:

:FAQ: What are the security problems with using PHP and how can I fix them?

Unless you are echoing out the username and password I can't quite see how people would have access to it but there are other inmates here who have better ideas about PHP security.

___________________
Emps

FAQs: Emperor

Tyberius Prime
Paranoid (IV) Mad Scientist with Finglongers

From: Germany
Insane since: Sep 2001

posted posted 08-02-2003 17:52

if your files are called .php, the websever should not deliver them without processing the code within... which should prevent any one from viewing your username and password.
Also, apache webservers usually don't deliver files that start with '.ht' ... so you put the database connection details into that.

Now, explain to me how 'anyone can see' that you inclute two php pages?

Skaarjj
Maniac (V) Mad Scientist

From: :morF
Insane since: May 2000

posted posted 08-03-2003 06:15

Yeah...they shouldn't be able to see any of your includes...once the page is parsed, every piece of PHP code is removed from it and replaced with the HTML that will do the final output of the script.

So no-one should be able to see that you have two pages included, or what those includes are, or where they're being called from, or anything of the PHP-persuasion.

Moon Shadow
Paranoid (IV) Inmate

From: Rouen, France
Insane since: Jan 2003

posted posted 08-03-2003 14:24

Hmm ok after reading those papers I learnt more about PHP attacks, and now after reconsidering my post I must say I wasn't indeed very clear.

*Note to self : read papers and then ask other people you stupid moron*

Most of those papers are really useful for preventing hackers to exploit holes in PHP codes, for example adding unwanted commands to the url. Well I checked my website in this way and it appeared to be well protected, I didn't see any stupid mistake (though I'm not good enough at PHP to be sure at 100% it is secure).

I have a friend who used PHP on his website, he is really good at PHP and didn't leave holes in his code. He is in hollidays now, but take a look at his site now. And a quick search showed this hacker is continuously hacking websites hosted on Free (like mine). I believe the only way he could hack his site was to download his PHP pages with an appropriated software (no names), find a call to the mysql database and get the password. I did this on my website in order to test its security, and well I grabbed the config file with my login and password to this Free account in 5 minutes.

So, I think anyone that would do this to get my index page would see the includes I put, opening my shoutbox. Following the link he/she would download the Shoutbox page and see the require to the config file, download it as well and get something like :

<?php

$dbhost = 'host';
$dbuser = 'user';
$dbpass = 'pass';
$dbname = 'name';

?>

Which I don't want to happen.

So, back to my point, I wanted to know if there was a way to "hide" those vars elsewhere, or make them not visible, or at least make them harder to acess. Do you think it can be done ? Thanks for your time.

Edit : Tyberius Prime your answer is interesting but I don't know anything about such .ht files. Could you explain it a bit more ?

[This message has been edited by Moon Shadow (edited 08-03-2003).]

Tyberius Prime
Paranoid (IV) Mad Scientist with Finglongers

From: Germany
Insane since: Sep 2001

posted posted 08-03-2003 18:36

a) would you care to name the 'appropriate software'? If he had ftp access to your site, all had been lost already. Apart from that, I've got no clue what you're talking about.

b) basically, by default apache is configured to not deliver any file that starts with '.ht'... like .htaccess, for example. But you'll have to try on your hos.t

Moon Shadow
Paranoid (IV) Inmate

From: Rouen, France
Insane since: Jan 2003

posted posted 08-03-2003 20:45

I was talking of softwares used to download entire websites (there are plenty of them) which allow to see the source code, such as MemoWeb.

I feel a bit stupid not even being able to explain my problem properly... Anyway, I've taken a quick look at .htaccess files, and it seems I can use it for my needs. I'll see what I can do with it.

Thanks for the help

« BackwardsOnwards »

Show Forum Drop Down Menu