Re: MYSQL and PHP

["Gerald Quakenbush" <geraldq () mastermindsecuritygroup com>]

John -

This is common practice in PHP - it isn't the best way to do things, but it is
common.

If you can't get application changes made to better protect the authentication
information, at least make sure the include files aren't readable by the
world. It is common for developers to use some alternate file extension, such
as INC, and then forget to map it to php in the Apache config file - thus, an
attacker can often read the file by simply requesting it. The only "defense"
is the obscurity of the filename. A simply script can make repeated requests
with variations on the filename. (ie, in your browser, try
http://<site>/<filename.inc> and see if it dump the source to the browser.)

In the httpd.conf - make sure you have a line like:

AddType application/x-httpd-php  .inc

This will cause apache to run the .inc file through the PHP interpreter rather
than returning the text back to the browser.

Another method I strongly encourage is to use the excellent mod_security
package (http://www.modsecurity.org) and use it's filtering engine to block
requests for such files - after all, since they are only includes, they should
never be requested directly.

Of course, one should also get the code updated and have it read and encrypted
file and decrypt the credentials.


Gerald Quakenbush
Author of 'Web Hacker Boot Camp'
http://www.quakenbush.com



John Madden (chiwawa999 () yahoo com) wrote:
> Hi,
>
> First off i'm not a PHP programmer but I would like to
> know the following:
>
> Is it standard to use INC files to store MYSQL db
> connections settings (username and password)?
>
> What else could you do to make this "safer" ?
>
> I presume Apache looks for files with extention
> "*.INC" and does not processes them, right ?
>
> Thanks you
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> -------------------------------------------------------------------------
> Sponsored by: Watchfire
>
> Watchfire named worldwide market share leader in web application security
> assessment by leading market research firm. Watchfire's AppScan is the
> industry's first and leading web application security testing suite, and
> the only solution to provide comprehensive remediation tasks at every
> level of the application. See for yourself.
> Download a Free Trial of AppScan 6.0 today!
>
> https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c
> --------------------------------------------------------------------------


-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire named worldwide market share leader in web application security 
assessment by leading market research firm. Watchfire's AppScan is the 
industry's first and leading web application security testing suite, and 
the only solution to provide comprehensive remediation tasks at every 
level of the application. See for yourself. 
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c
--------------------------------------------------------------------------