WebApp Sec mailing list archives
Re: MYSQL and PHP
From: "Gerald Quakenbush" <geraldq () mastermindsecuritygroup com>
Date: Tue, 16 May 2006 09:09:59 -0400
John - This is common practice in PHP - it isn't the best way to do things, but it is common. If you can't get application changes made to better protect the authentication information, at least make sure the include files aren't readable by the world. It is common for developers to use some alternate file extension, such as INC, and then forget to map it to php in the Apache config file - thus, an attacker can often read the file by simply requesting it. The only "defense" is the obscurity of the filename. A simply script can make repeated requests with variations on the filename. (ie, in your browser, try http://<site>/<filename.inc> and see if it dump the source to the browser.) In the httpd.conf - make sure you have a line like: AddType application/x-httpd-php .inc This will cause apache to run the .inc file through the PHP interpreter rather than returning the text back to the browser. Another method I strongly encourage is to use the excellent mod_security package (http://www.modsecurity.org) and use it's filtering engine to block requests for such files - after all, since they are only includes, they should never be requested directly. Of course, one should also get the code updated and have it read and encrypted file and decrypt the credentials. Gerald Quakenbush Author of 'Web Hacker Boot Camp' http://www.quakenbush.com John Madden (chiwawa999 () yahoo com) wrote:
Hi, First off i'm not a PHP programmer but I would like to know the following: Is it standard to use INC files to store MYSQL db connections settings (username and password)? What else could you do to make this "safer" ? I presume Apache looks for files with extention "*.INC" and does not processes them, right ? Thanks you __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire named worldwide market share leader in web application security assessment by leading market research firm. Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download a Free Trial of AppScan 6.0 today! https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c --------------------------------------------------------------------------
------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire named worldwide market share leader in web application security assessment by leading market research firm. Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download a Free Trial of AppScan 6.0 today! https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c --------------------------------------------------------------------------
Current thread:
- MYSQL and PHP John Madden (May 15)
- Re: MYSQL and PHP Mark Sanders (May 16)
- Re: MYSQL and PHP Robin Wood (May 16)
- Re: MYSQL and PHP Todd Hendricks (May 16)
- Re: MYSQL and PHP Gerald Quakenbush (May 16)
- Re: MYSQL and PHP Robin Wood (May 16)
- Re: MYSQL and PHP Gerald Quakenbush (May 16)
- Re: MYSQL and PHP bugtraq (May 16)
- Re: MYSQL and PHP Reid Nichol (May 17)
- Re: MYSQL and PHP Robin Wood (May 16)
- Re: MYSQL and PHP r0xes (May 16)
- Re: MYSQL and PHP Kevin Johnson (May 16)
- Re: MYSQL and PHP Jason Ross (May 16)
- Re: MYSQL and PHP Klientų aptarnavimas (May 16)
- Re: MYSQL and PHP Kirk . Johnson (May 16)
- Re: MYSQL and PHP Ed J. Aivazian (May 17)
(Thread continues...)