Page 1 of 2
config.php security?
Posted: Wed Jan 16, 2008 3:13 pm
by giggler
Not sure if this is consider a security issue. I actually tried installing the site for a client and realized they didn't have php enabled. At the mean time, the site basically provides all the code AND the database username and password.
It's all fine now that php is enabled for them, BUT my concern is, let's say php is down for some reason...will people just be able to see your database info? I've read this somewhere else (I think for some ecommerce cms) the same thing and they recommended putting an include in config.php to the actual file with the database info. Will this actually work?
Re: config.php security?
Posted: Wed Jan 16, 2008 4:28 pm
by alby
giggler wrote:
Not sure if this is consider a security issue. I actually tried installing the site for a client and realized they didn't have php enabled. At the mean time, the site basically provides all the code AND the database username and password.
It's all fine now that php is enabled for them, BUT my concern is, let's say php is down for some reason...will people just be able to see your database info? I've read this somewhere else (I think for some ecommerce cms) the same thing and they recommended putting an include in config.php to the actual file with the database info. Will this actually work?
If I read config.php then I read include file also
ok, for safe you must put the include file OUTSIDE the web tree. In one site that I did not control I have this situation
Alby
Re: config.php security?
Posted: Wed Jan 16, 2008 4:40 pm
by giggler
By outside the webtree - Do you mean outside the root and maybe in a include folder?
Re: config.php security?
Posted: Wed Jan 16, 2008 5:24 pm
by alby
giggler wrote:
By outside the webtree - Do you mean outside the root and maybe in a include folder?
outside root of WEB SERVER for this domain (normaly it's the $config['root_path'] of your config.php if you don't install CMSMS in sub-foder)
In this way you cannot call it with a browser
Alby
Re: config.php security?
Posted: Wed Jan 16, 2008 8:29 pm
by giggler
So if this is the path, then do you put some include in config.php to include another file anthing.php (with the db info and config) and put it say in /home/web/path/?
Code: Select all
$config['root_path'] = '/home/web/path/sitname/';
If this is not correct, do you have an example?
Re: config.php security?
Posted: Wed Jan 16, 2008 8:48 pm
by alby
giggler wrote:
So if this is the path, then do you put some include in config.php to include another file anthing.php (with the db info and config) and put it say in /home/web/path/?
Code: Select all
$config['root_path'] = '/home/web/path/sitname/';
If this is not correct, do you have an example?
Yes if '/home/web/path/sitname/' is root for your WEBSERVER domain (
www.sitname.com/),
in your example you can:
- create a folder include in /home/web/path/include and put anthing.php with code data of mysql only (copy from config.php)
- in your config.php add this row (
where you want but after) mysql data (let them but change value data):
require_once '/home/web/path/include/anthing.php';
Alby
Re: config.php security?
Posted: Thu Jan 17, 2008 12:59 am
by giggler
I have a site being test in a subdirectory and this doesn't seem to work. I had to put it in cgi-bin since I couldn't create a new folder in that directed. The cgi-bin has permission set as 750.
I put the following in a file called db.php
Code: Select all
$config['dbms'] = 'mysql';
$config['db_hostname'] = 'localhost';
$config['db_username'] = 'username';
$config['db_password'] = 'pw';
$config['db_name'] = 'dbname';
I have this in config.php
require_once '/var/www/site.com/cgi-bin/db.php';
Is this not working because it's in a subdirectory or because of the cgi-bin folder permission?
Re: config.php security?
Posted: Thu Jan 17, 2008 1:38 am
by nivekiam
Try this syntax (notice the parathesis)
require_once('/path/to/file/db.php');
As long as the webserver can read that file it shouldn't matter where it's at.
Re: config.php security?
Posted: Thu Jan 17, 2008 2:45 am
by giggler
That was the same result...
I even tried creating a folder with permission of 777 and it just gives a blank page. Oh well...
Re: config.php security?
Posted: Thu Jan 17, 2008 5:04 am
by nivekiam
I think, I'm not sure, that there is a setting in php.ini that can control this. I would take a look at your phpinfo and search for settings that have root, path, or include. Maybe it's at the Apache, httpd.conf level though to. Maybe you could do a test just to see if php/Apache could write to a directory outside the webroot.
Every host I've used, I've been able to do this, so it's got to be a setting at the server level.
[EDIT]
Maybe it's open_basedir. I know I've seen something like this somewhere else before. I would also make sure you don't have safe_mode on.
Re: config.php security?
Posted: Thu Jan 17, 2008 10:07 am
by alby
giggler wrote:
I have a site being test in a subdirectory and this doesn't seem to work. I had to put it in cgi-bin since I couldn't create a new folder in that directed. The cgi-bin has permission set as 750.
I put the following in a file called db.php
Code: Select all
$config['dbms'] = 'mysql';
$config['db_hostname'] = 'localhost';
$config['db_username'] = 'username';
$config['db_password'] = 'pw';
$config['db_name'] = 'dbname';
I have this in config.php
require_once '/var/www/site.com/cgi-bin/db.php';
Is this not working because it's in a subdirectory or because of the cgi-bin folder permission?
Two considerations on this:
- cgi-bin is a bad candidate because it's a special folder, webserver read (you can call
http://www.site.com/cgi-bin/), execute this directory (apache has +ExecCGI for this) and can be in common with other domain
- db.php is a bad name because I know that is simple but it is for attacker also, call, for example, image_resize.php (security by obscurity it's not absolute but ....)
General considerations:
- your account FTP/SSH/SFTP/WEBDAV/SMB/NFS/..... should enable ftp:
- create a directory (and thus permits you to write a file in it) outside webserver (www, htdocs, httpdocs, ...)
- give permission to the directory and files that are readable by php (say php because there is the possibility that you have php-cgi and not as a module for apache)
- nivekiam is right to say that if you have open_basedir then you have many problems for this
If you can not then create a subfolder of cmsms but call with a strange name (captcha-class for example)
Alby
Re: config.php security?
Posted: Thu Jan 17, 2008 2:50 pm
by giggler
open_basedir has a path for local level and "no value" for master value
Code: Select all
give permission to the directory and files that are readable by php (say php because there is the possibility that you have php-cgi and not as a module for apache)
I believe it's module...is this the same as just setting any other permission like 755 and such?
Code: Select all
If you can not then create a subfolder of cmsms but call with a strange name (captcha-class for example)
you mean just put the include there and hope that people don't snoop deeper since the name isn't "database"?
Re: config.php security?
Posted: Thu Jan 17, 2008 4:15 pm
by nivekiam
open_basedir has a path for local level and "no value" for master value
That's probably what's restricting you then.
http://www.php.net/features.safe-mode Scroll down on that page it describes the behavior of open_basedir (please don't be confused by that URL, open_basedir is not effected by whether safe_mode is on or not)
Re: config.php security?
Posted: Thu Jan 17, 2008 4:21 pm
by Pierre M.
Hello,
giggler wrote:
Not sure if this is consider a security issue. I actually tried installing the site for a client and realized they didn't have php enabled. At the mean time, the site basically provides all the code AND the database username and password.
Yes, this
poor hosting is a security issue. It doesn't match
CMSms' requirements.
"Noone should build a house on sand"
Pierre M.
Re: config.php security?
Posted: Thu Jan 17, 2008 6:29 pm
by alby
giggler wrote:
open_basedir has a path for local level and "no value" for master value
Send in your site a file test.php:
Code: Select all
<?php
ini_set('open_basedir', NULL);
phpinfo();
?>
and check if change value, if yes put open_basedir row in config.php
giggler wrote:
Code: Select all
give permission to the directory and files that are readable by php (say php because there is the possibility that you have php-cgi and not as a module for apache)
I believe it's module...is this the same as just setting any other permission like 755 and such?
In php-cgi (it's write in phpinfo()) there are many checks (for example owner and execute of file php)
giggler wrote:
Code: Select all
If you can not then create a subfolder of cmsms but call with a strange name (captcha-class for example)
you mean just put the include there and hope that people don't snoop deeper since the name isn't "database"?
Are always wasting time and for an attacker is vital not to lose time.
An attacker can know this by reading config file (no robots.txt!). If happen, the best practice is to change the name of the directory/file and include row.
I think that it's MOST important to change the name of the admin directory.
I think that we can close the topic if not becomes paranoia.
Alby