Just a short question concerning the CMSMS database access code:
I haven't seen a special user for the database access in MySQL. Can I assume that all access runs without password via anonymous@localhost, or is it managed differently?
I am not very well-versed in online security but it just crossed my mind whether it would be possible for an attacker to directly access the database. Since CMSMS accesses the database (apparently without password protection), how do you prevent a direct database access?
My guess is that the "localhost" domain cannot be spoofed so we are safe, correct? Or did I make a fundamental error somewhere?
Cerno
Security question / discussion concerning database access
Re: Security question / discussion concerning database access
Cerno,
there is a specific user that accesses the db, as the user and password have to be filled during installation to connect to the DB. The settings are stored in the config.php, where the db-name, db-user and db-password are stored and used for connection.
At least that's my understanding of the logic, I'm not a db-man (Not SQL anyway!)
Ronny
there is a specific user that accesses the db, as the user and password have to be filled during installation to connect to the DB. The settings are stored in the config.php, where the db-name, db-user and db-password are stored and used for connection.
At least that's my understanding of the logic, I'm not a db-man (Not SQL anyway!)
Ronny
-
b0n3m4n
Re: Security question / discussion concerning database access
Right I forgot about that!
So once I change the corresponding SQL-User's password, CMSMS won't be able to connect anymore.
And I assume, storing the password in a php-file is safe, since only the server can read it and creates the html content from it so I only need to worry about not inadvertently publishing that password in the html output, but that would take some stupidity, right?
So once I change the corresponding SQL-User's password, CMSMS won't be able to connect anymore.
And I assume, storing the password in a php-file is safe, since only the server can read it and creates the html content from it so I only need to worry about not inadvertently publishing that password in the html output, but that would take some stupidity, right?
-
skypanther
Re: Security question / discussion concerning database access
Yes, you're right. The config file defines the password as a variable. You'd have to add code to output that variable to the page in order for it to leave the server's memory. The only other risk is that somehow someone gets your web server to send the php file without interpreting it.
I suppose this could happen if:
- PHP is removed from your server and mime types are changed so that php files are served as text.
- You or someone creates a file (php, asp, coldfusion, etc.) that reads your config file and outputs it on a web page as text.
- CMSMS has a security hole that lets malicious users execute arbitrary code, which they exploit to output your config file's contents.
The first is not very likely. The second could happen if you let users upload files. Conceivably it could happen in a shared hosting environment that is poorly secured, in which case someone could upload a programming file to their web space and read files in your web space. It would take work, inside knowledge, and like I said, a poorly set up and secured server.
The last possibility is actually the most likely. There's little we as users can do about it other than watch for and immediately apply security patches. Keep an eye on that Announcements forum!
Tim
I suppose this could happen if:
- PHP is removed from your server and mime types are changed so that php files are served as text.
- You or someone creates a file (php, asp, coldfusion, etc.) that reads your config file and outputs it on a web page as text.
- CMSMS has a security hole that lets malicious users execute arbitrary code, which they exploit to output your config file's contents.
The first is not very likely. The second could happen if you let users upload files. Conceivably it could happen in a shared hosting environment that is poorly secured, in which case someone could upload a programming file to their web space and read files in your web space. It would take work, inside knowledge, and like I said, a poorly set up and secured server.
The last possibility is actually the most likely. There's little we as users can do about it other than watch for and immediately apply security patches. Keep an eye on that Announcements forum!
Tim
-
b0n3m4n
Re: Security question / discussion concerning database access
Ah, thanks for all that information.
Just one question out of curiosity: If I had a mysql account anonymous@localhost without password, are there known attacks that can pretend they access from localhost, i.e. by mimicking the server's IP address or something?
Just one question out of curiosity: If I had a mysql account anonymous@localhost without password, are there known attacks that can pretend they access from localhost, i.e. by mimicking the server's IP address or something?
-
skypanther
Re: Security question / discussion concerning database access
I don't know for sure. I suppose it's possible. As far as I know, the php code would have to be running on the same computer as the mysql server. So, it's probably not a concern. But, it would be far better to have a password-protected system (and set a password for the default "root" user).
Tim
Tim
