Re: PHP shell commands

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Jan 11, 2008 6:58 AM, Lucas Prado Melo <lucaspm@xxxxxxxxxxx> wrote:
> On Jan 11, 2008 9:33 AM, Bipin Upadhyay <muxical.geek@xxxxxxxxx> wrote:
> > Lucas Prado Melo wrote:
> > > Hello,
> > > Some php applications store database passwords into files which can be
> > > read by the user www-data.
> > Why not keep them out of the web tree and inform the application
> > regarding the same. I am sure almost all good applications would provide
> > a simple way for doing it.
> > > So, a malicious user which can write php scripts could read those passwords.
> > > What should I do to prevent users from viewing those passwords?
> > I am not sure I understand this. Do you mean the attacker would upload
> > scripts and execute them to read th config files? If yes then that's a
> > different problem altogether.
> Yes, I mean so.

    Make sure you change the permissions on the directory in which
uploads are saved to be non-readable by anyone (including yourself, in
case the scripts are suexec'd).

    For example, if the directory in which you save uploaded files is
uploads/ then just do this (on a *nix box):
        chmod 300 uploads

    That way, files can still be saved to the directory (which
requires write and execute privileges), but the files cannot be read
or executed via the web, and directory listing is implicitly denied
for all protocols (and local access) to anyone except root.

    To best-protect your configuration scripts, though, always place
them outside of the web-accessible directories (for example,
/home/user/config/) and include them properly.  Also, make sure they
are read-only (chmod 400, or chmod 444 if not using suexec).

    Beyond that, code obfuscation using Zend Optimizer (as was
suggested) or an alternative would be your best bet.  Just keep in
mind that anything that can be accessed by any means is never going to
be 100% secure.

-- 
</Dan>

Daniel P. Brown
Senior Unix Geek and #1 Rated "Year's Coolest Guy" By Self Since
Nineteen-Seventy-[mumble].

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux