config.php security?

[giggler]

Not sure if this is consider a security issue. I actually tried installing the site for a client and realized they didn't have php enabled. At the mean time, the site basically provides all the code AND the database username and password.

It's all fine now that php is enabled for them, BUT my concern is, let's say php is down for some reason...will people just be able to see your database info? I've read this somewhere else (I think for some ecommerce cms) the same thing and they recommended putting an include in config.php to the actual file with the database info. Will this actually work?

[alby]

Not sure if this is consider a security issue. I actually tried installing the site for a client and realized they didn't have php enabled. At the mean time, the site basically provides all the code AND the database username and password.

It's all fine now that php is enabled for them, BUT my concern is, let's say php is down for some reason...will people just be able to see your database info? I've read this somewhere else (I think for some ecommerce cms) the same thing and they recommended putting an include in config.php to the actual file with the database info. Will this actually work?

If I read config.php then I read include file also 

ok, for safe you must put the include file OUTSIDE the web tree. In one site that I did not control I have this situation

Alby

[giggler]

By outside the webtree - Do you mean outside the root and maybe in a include folder?

[alby]

By outside the webtree - Do you mean outside the root and maybe in a include folder?

outside root of WEB SERVER for this domain (normaly it's the $config['root_path'] of your config.php if you don't install CMSMS in sub-foder)
In this way you cannot call it with a browser

Alby

[giggler]

So if this is the path, then do you put some include in config.php to include another file anthing.php (with the db info and config) and put it say in /home/web/path/?

Code: Select all

$config['root_path'] = '/home/web/path/sitname/';

If this is not correct, do you have an example?

[alby]

So if this is the path, then do you put some include in config.php to include another file anthing.php (with the db info and config) and put it say in /home/web/path/?

Code: Select all

$config['root_path'] = '/home/web/path/sitname/';

If this is not correct, do you have an example?

Yes if '/home/web/path/sitname/' is root for your WEBSERVER domain (www.sitname.com/),
in your example you can:
- create a folder include in /home/web/path/include and put anthing.php with code data of mysql only (copy from config.php)
- in your config.php add this row (where you want but after) mysql data (let them but change value data):
require_once '/home/web/path/include/anthing.php';

Alby

[giggler]

I have a site being test in a subdirectory and this doesn't seem to work. I had to put it in cgi-bin since I couldn't create a new folder in that directed. The cgi-bin has permission set as 750.

I put the following in a file called db.php

Code: Select all

$config['dbms'] = 'mysql';
$config['db_hostname'] = 'localhost';
$config['db_username'] = 'username';
$config['db_password'] = 'pw';
$config['db_name'] = 'dbname';

I have this in config.php
require_once '/var/www/site.com/cgi-bin/db.php';

Is this not working because it's in a subdirectory or because of the cgi-bin folder permission?

[nivekiam]

Try this syntax (notice the parathesis)

require_once('/path/to/file/db.php');

As long as the webserver can read that file it shouldn't matter where it's at.

[giggler]

That was the same result...

I even tried creating a folder with permission of 777 and it just gives a blank page. Oh well...

[nivekiam]

I think, I'm not sure, that there is a setting in php.ini that can control this.  I would take a look at your phpinfo and search for settings that have root, path, or include.  Maybe it's at the Apache, httpd.conf level though to.  Maybe you could do a test just to see if php/Apache could write to a directory outside the webroot.

Every host I've used, I've been able to do this, so it's got to be a setting at the server level.

[EDIT]
Maybe it's open_basedir.  I know I've seen something like this somewhere else before.  I would also make sure you don't have safe_mode on.

[alby]

I have a site being test in a subdirectory and this doesn't seem to work. I had to put it in cgi-bin since I couldn't create a new folder in that directed. The cgi-bin has permission set as 750.

I put the following in a file called db.php

Code: Select all

$config['dbms'] = 'mysql';
$config['db_hostname'] = 'localhost';
$config['db_username'] = 'username';
$config['db_password'] = 'pw';
$config['db_name'] = 'dbname';

I have this in config.php
require_once '/var/www/site.com/cgi-bin/db.php';

Is this not working because it's in a subdirectory or because of the cgi-bin folder permission?

Two considerations on this:
- cgi-bin is a bad candidate because it's a special folder, webserver read (you can call http://www.site.com/cgi-bin/), execute this directory (apache has +ExecCGI for this) and can be in common with other domain
- db.php is a bad name because I know that is simple but it is for attacker also, call, for example, image_resize.php (security by obscurity it's not absolute but ....)

General considerations:
- your account FTP/SSH/SFTP/WEBDAV/SMB/NFS/..... should enable ftp:
- create a directory (and thus permits you to write a file in it) outside webserver (www, htdocs, httpdocs, ...)
- give permission to the directory and files that are readable by php (say php because there is the possibility that you have php-cgi and not as a module for apache)
- nivekiam is right to say that if you have open_basedir then you have many problems for this

If you can not then create a subfolder of cmsms but call with a strange name (captcha-class for example)

Alby

[giggler]

open_basedir has a path for local level and "no value" for master value

Code: Select all

give permission to the directory and files that are readable by php (say php because there is the possibility that you have php-cgi and not as a module for apache)

I believe it's module...is this the same as just setting any other permission like 755 and such?

Code: Select all

If you can not then create a subfolder of cmsms but call with a strange name (captcha-class for example)

you mean just put the include there and hope that people don't snoop deeper since the name isn't "database"?

[nivekiam]

open_basedir has a path for local level and "no value" for master value

That's probably what's restricting you then.  http://www.php.net/features.safe-mode  Scroll down on that page it describes the behavior of open_basedir (please don't be confused by that URL, open_basedir is not effected by whether safe_mode is on or not)

[Pierre M.]

Hello,

Not sure if this is consider a security issue. I actually tried installing the site for a client and realized they didn't have php enabled. At the mean time, the site basically provides all the code AND the database username and password.

Yes, this poor hosting is a security issue. It doesn't match CMSms' requirements.
"Noone should build a house on sand"

Pierre M.

[alby]

open_basedir has a path for local level and "no value" for master value

Send in your site a file test.php:

Code: Select all

<?php
ini_set('open_basedir', NULL);
phpinfo();
?>

and check if change value, if yes put open_basedir row in config.php

Code: Select all

give permission to the directory and files that are readable by php (say php because there is the possibility that you have php-cgi and not as a module for apache)

I believe it's module...is this the same as just setting any other permission like 755 and such?

In php-cgi (it's write in phpinfo())  there are many checks (for example owner and execute of file php)

Code: Select all

If you can not then create a subfolder of cmsms but call with a strange name (captcha-class for example)

you mean just put the include there and hope that people don't snoop deeper since the name isn't "database"?

Are always wasting time and for an attacker is vital not to lose time.
An attacker can know this by reading config file (no robots.txt!). If happen, the best practice is to change the name of the directory/file and include row.

I think that it's MOST important to change the name of the admin directory.
I think that we can close the topic if not becomes paranoia.

Alby