Hello Newsgroup:
This is my little rant about security and why we have home directories.
You may choose to ignore it or disagree with it, that is your perogative
and I won't care, but... this little rant needs to be said in the 21'st
century, as we seem to have forgotten about it.
Many PHP packages and cgi scripts ask you to store database settings
and passwords in web space.
Of course, it's secure, so long as configuration files are given
a [.php|.cgi] extension, right?
Wrong.
I think most of us have seen misconfigured web servers that send the
contents of PHP files rather then running them through an interpreter
at some point. A .php extension does not give a configuration file
security. I've seen this happen many times as I'm sure anyone here has.
Time was, all the CGI programming FAQ's would warn you about this, they would
tell you, always make sure passwords and critical pieces of information are
kept safely outside web space. This "old timer" advice still applies.
The general rule was, if you don't want it sent to the browser, don't put it on
the web server. (meaning, in "web space")
Don't protect something with an .htaccess file.
Don't protect something with a .php|.cgi or .whatever
Just don't put critical bits of data on the web server. (unless you
have no choice)
But.. not any more, we've forgotten this ancient advice.
We now routinely ask people to edit some sort of .php file for database
settings and save it in the same directory as the script running it. It's
common practice, heck I've done it a few times.... From what I gather,
PHP's so called "safe mode" (isn't that a kick in the teeth) demands
you do this.
It's convenient, it's what users have come to expect.
But... it is not secure.
We have home directories for this sort of thing and just I wish we'd get back
to the old practice of using them for their intended purpose before ISP's start
making a persons home directory the same as the web directory.
There. rant over. Sorry.. had to say it, I don't expect anyone to actually
listen to it or anything, people seldom do.
You may go back to storing all your critical database settings in web space
now. :-)
Jamie
-- http://www.geniegate.com Custom web programming gu******@lnubb. pbz (rot13) User Management Solutions 8  1432 
Jamie wrote: Hello Newsgroup:
This is my little rant about security and why we have home directories.
You may choose to ignore it or disagree with it, that is your perogative
and I won't care, but... this little rant needs to be said in the 21'st
century, as we seem to have forgotten about it.
Many PHP packages and cgi scripts ask you to store database settings
and passwords in web space.
Of course, it's secure, so long as configuration files are given
a [.php|.cgi] extension, right?
Wrong.
I think most of us have seen misconfigured web servers that send the
contents of PHP files rather then running them through an interpreter
at some point. A .php extension does not give a configuration file
security. I've seen this happen many times as I'm sure anyone here has.
Time was, all the CGI programming FAQ's would warn you about this, they would
tell you, always make sure passwords and critical pieces of information are
kept safely outside web space. This "old timer" advice still applies.
The general rule was, if you don't want it sent to the browser, don't put it on
the web server. (meaning, in "web space")
Don't protect something with an .htaccess file.
Don't protect something with a .php|.cgi or .whatever
Just don't put critical bits of data on the web server. (unless you
have no choice)
But.. not any more, we've forgotten this ancient advice.
We now routinely ask people to edit some sort of .php file for database
settings and save it in the same directory as the script running it. It's
common practice, heck I've done it a few times.... From what I gather,
PHP's so called "safe mode" (isn't that a kick in the teeth) demands
you do this.
It's convenient, it's what users have come to expect.
But... it is not secure.
We have home directories for this sort of thing and just I wish we'd get back
to the old practice of using them for their intended purpose before ISP's start
making a persons home directory the same as the web directory.
There. rant over. Sorry.. had to say it, I don't expect anyone to actually
listen to it or anything, people seldom do.
You may go back to storing all your critical database settings in web space
now. :-)
Jamie
Three thoughts occurred to me when reading this:
1. How is this specific to Unix and/or home directories? It seems more
about keeping private data in the web server space.
2. Why not keep most of your private data in a database? That is not
within the web server space but can be accessed as needed.
3. If you need to store private data within the web server space, why
not encrypt it first?
-david-
> Many PHP packages and cgi scripts ask you to store database settings and passwords in web space.
I did not encounter them. And if you DO encounter them, you can always
let those pages call a script outside the web root. And off course you
should. The web root is PUBLIC space. So, anything you put in there is
publicly available. Things that should not be publicly available should
be kept out of there. Period.
Of course, it's secure, so long as configuration files are given
a [.php|.cgi] extension, right?
Wrong.
Wrong indeed. Alas there are ways for a hacker to get to the source
sometimes.
I think most of us have seen misconfigured web servers that send the
contents of PHP files rather then running them through an interpreter
at some point. A .php extension does not give a configuration file
security. I've seen this happen many times as I'm sure anyone here has.
Time was, all the CGI programming FAQ's would warn you about this, they would
tell you, always make sure passwords and critical pieces of information are
kept safely outside web space. This "old timer" advice still applies.
The general rule was, if you don't want it sent to the browser, don't put it on
the web server. (meaning, in "web space")
Don't protect something with an .htaccess file.
Don't protect something with a .php|.cgi or .whatever
Just don't put critical bits of data on the web server. (unless you
have no choice)
But.. not any more, we've forgotten this ancient advice.
We now routinely ask people to edit some sort of .php file for database
settings and save it in the same directory as the script running it. It's
common practice, heck I've done it a few times.... From what I gather,
PHP's so called "safe mode" (isn't that a kick in the teeth) demands
you do this.
It's convenient, it's what users have come to expect.
But... it is not secure.
We have home directories for this sort of thing and just I wish we'd get back
to the old practice of using them for their intended purpose before ISP's start
making a persons home directory the same as the web directory.
There. rant over. Sorry.. had to say it, I don't expect anyone to actually
listen to it or anything, people seldom do.
You may go back to storing all your critical database settings in web space
now. :-)
My web root still has some settings.php. I had to, as my development
environment and my provider's environment differ too much. Off course,
all it does it correct the right settings that it digs up from a deeper,
"require"d file outside the web space (both live and on development).
Thanks for the warning. Take a glass of water, cool down from your rant
and have a nice weekend.
>1. How is this specific to Unix and/or home directories? It seems more
It isn't, except that some other setups don't have an obvious
place equivalent to a home directory. about keeping private data in the web server space.
2. Why not keep most of your private data in a database? That is not
within the web server space but can be accessed as needed.
Because one of the most important pieces of private data is the
password to the database, which obviously can't be kept in
the database.
3. If you need to store private data within the web server space, why
not encrypt it first?
So where do you keep the key to it?
Gordon L. Burditt
Pointless rant. In a typical set up the database server isn't
accessible to the outside world, so the risk of exposure through a
misconfigured web server isn't that unreasonable to take. The database
login/password is only useful to someone who can access the
database--i.e. another account on the same server. Putting your config
file your home directory does not prevent him from reading it.
Ideally any sensitive info should be stored in httpd.conf, readable
only by root.
In article <Lc114630384922 9750x9dadb4@loc alhost>, no****@geniegat e.com (Jamie) wrote: <deletia>
I store all my db/passwd settings outside web server scope and require
them into my php scripts. You can't surf to these files.
BUt I was hacked nonetheless! Fact is that my community system allowed
for files to be uploaded to the web server through users galleries,
web forums and such - and I didn't have a check if the file uploaded
was a PHP file. So one person uploaded a .php file as an "image" in
his gallery (so there never was any doubt who did it).
Then he surfed to this php file as he would have surfed to his image.
Only, it wasn't an image, it was a PHP script that listed files on the
hard drive, or posted the content of them.
Luckily, the web server process doesn't have read access to anything
outside it's web server account, but it - obviously - has access to
these files outside of the document root, which he of course could
read, and did - and thus had complete access to my entire database
(through their custom php files, not through remote access to MySQL).
So he would upload custom php files that did all sort of things with
my databases. Luckily, his motive was not wreck havoc and did more or
less benign - although very irritating - things like changing
everyones account picture and so on.
I pressed charges, of course. Turns out he was a fifteen year old kid
and his parents got scared shitless. Hopefully he's learned a lesson.
The police didn't do anything more since I didn't want to take it any
further than to use them as intimidation.
--
Sandman[.net]
In article <ks************ ***@fe05.usenet server.com>,
David Haynes <da***********@ sympatico.ca> wrote: 1. How is this specific to Unix and/or home directories? It seems more
about keeping private data in the web server space.
Indeed.
2. Why not keep most of your private data in a database? That is not
within the web server space but can be accessed as needed.
Well, information about how to connect to the database and
username/password couldn't really be kept in the database you're
trying to connect to.
3. If you need to store private data within the web server space, why
not encrypt it first?
The OP was probably mostly talking about "download your PHP guestbook
now" type of scripts, where the scripts has its settings in a file
that needs to be resided on the same path as the script itself, for
convenience - since the programmer, or program, doesn't know where
"Outside the web scope is" for all the people that will download the
script.
Encrypting such a file needs the user to know HOW to encrypt it. A
startup process that asks - via web forms - for the passwd/user and
then saves and reades them encrypted would be a good idea.-
--
Sandman[.net]
In article <11************ **********@g10g 2000cwb.googleg roups.com>,
"Chung Leong" <ch***********@ hotmail.com> wrote: Pointless rant. In a typical set up the database server isn't
accessible to the outside world, so the risk of exposure through a
misconfigured web server isn't that unreasonable to take. The database
login/password is only useful to someone who can access the
database--i.e. another account on the same server. Putting your config
file your home directory does not prevent him from reading it.
See another one of my posts in my thread here, where this actually
happened. A user gained access to my MySQL server through a
user/passwd file kept outside the web scope, using the web servers
granted connection to the database. :)
--
Sandman[.net]
In <11************ **********@g10g 2000cwb.googleg roups.com>,
"Chung Leong" <ch***********@ hotmail.com> mentions: Pointless rant. In a typical set up the database server isn't
accessible to the outside world, so the risk of exposure through a
misconfigure d web server isn't that unreasonable to take. The database
login/password is only useful to someone who can access the
database--i.e. another account on the same server. Putting your config
file your home directory does not prevent him from reading it.
Ideally any sensitive info should be stored in httpd.conf, readable
only by root.
I disagree.
If you don't intend to serve something through a web server, it shouldn't be in
web space.
Granted, I think all of us have at some point or another done it
just because it's convenient. For example, I'll sometimes store
library code in web space. It's easier. (and definately makes backups
easier)
The safest way to keep someone from accessing data that maybe you
didn't intend to be accessed is to keep it out of web space. (I say
safest, it's still not fool proof, if the machine itself is compromized
all bets are off.)
Reason this bugs me so much is that people have come to expect such
settings ARE stored on the web server. It's become such common
practice I wish it would stop.
Jamie
-- http://www.geniegate.com Custom web programming gu******@lnubb. pbz (rot13) User Management Solutions This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Alex |
last post by:
I've just noticed that directories in Unix have different sizes whereas in
Windows they don't.
Why is this so?
Thanks.
Alex.
|
by: paul |
last post by:
hey there all!
i'm writing some little programs, and i'd like to know about how to deal
with directories on unix. i've read up on this, but the docs don't really
mention much on it. do i use the pickle module, or something?
what i'd like to do is read in a path, say
/home/username/images/
and that path contains a dir called downloads and some png files,
and it also contains another dir called icons, which holds jpg, png and
gif files.
|
by: Rob |
last post by:
Does anyone know if there are any good comparisons between Windows and
Unix performance? Or does anyone have examples of Oracle databases
running large numbers (200+) of concurrent users. I am trying to
investigate what size implementations can be placed onto Windows 2000
/ Windows 2003 as opposed to UNIX but cannot find much data.
Any information would be much appreciated.
Cheers.
|
by: Daniel Rudy |
last post by:
Hello,
On a x86 machine, what is the format of a pointer in C? I know for a
fact that the x86 p-mode uses a /selector:offset/ notation where the
selector is defined in either the GDT or LDT. Does that carry over into
the pointer, or does Unix use the flat memory model?
--
Daniel Rudy
|
by: hazly |
last post by:
I'm planning to establish a recovery plan for my SQLServer 2000
databases. How to change home and data directories?
| | |
by: Adam |
last post by:
Hello. I do most of my web dev work from a Mac (whose file system is
case-insensitive.) I upload my web pages and other files onto a
Unix-based host, which is case sensitive.
When I look at the errors that were generated on my web site, I find
that sometimes people are trying to access, for example, "file.exe",
when I uploaded it as "File.exe" with an uppercase letter.
Some of these pages and files have had mixed case for years and...
|
by: RAJITHA PREMARATNE |
last post by:
I'M TRYING TO LEARN UNIX WITH THE HELP OF SOME BOOKS. PLEASE HELP ME WITH EXERCISE BELOW.
From your home directory, create a new directory named coursework.
In this directory create further directories named chapter2, chapter3, chapter4, chapter5, chapter6, chapter7 and chapter8 respectively.
In your newly created directory, chapter2, create a file named 'dir_listing' and, using the 'ls -l command', place a copy of the contents of the...
|
by: Hongyu |
last post by:
Dear all:
I am trying to write to a file with full directory name and file name
specified (./outdir/mytestout.txt where . is the current directory)
in
C programming language and under Unix, but got errors of Failed to
open file ./outdir/mytestout.txt. Below is the code:
#include <stdio.h>
|
by: RRick |
last post by:
I have a unix C++ project that needs to be converted over to windows visual studio. I'm not sure of the exact version of VS, but it's a recent version, probabIy 2003 or 2005.
I would like the windows directory tree to mimic the unix tree as closely as possible, but I don't want duplicate files and other inconsistencies. I have come up with an idea but I don't know how close it fits a "typical" windows project. If you know of specific...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
| | |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
