One thing I would do, and I have done this in many of my applications:
a) Store the username / password in a database.
b) Encrypt passwords (with a salt) with AES-256 using a key stored in a
file OUTSIDE the document path.
c) Add code to the beginning of the included file to ensure it is only
executed by approved files.
<?php
if( 0 == preg_match( "/maplerunfarm-secure\/admin.php/",
$_SERVER["SCRIPT_FILENAME"] ) )
{
exit("Error: invalid inclusion of file. Please contact your system
administrator");
}
$CONST_SECURE_KEY = "DKTAZ+2EFaSHexdE0hbKJKiO/mQeF1hd";
?>
-----Original Message-----
From: Jan G.B. [mailto:ro0ot.w00t@xxxxxxxxxxxxxx]
Sent: Tuesday, August 24, 2010 9:09 AM
To: Andre Polykanine
Cc: Nathan Rixham; tedd; php-general@xxxxxxxxxxxxx
Subject: Re: Re: How safe is a .htaccess file?
2010/8/19 Andre Polykanine <andre@xxxxxxxx>:
> Hello Nathan,
>
> Sorry, could you provide any links to read for a security noob?)
> Actually, I know that the md5 is decryptable (there are bases with
> words encrypted in md5), but I thought the SHA1 was secure...
> --
> With best regards from Ukraine,
> Andre
> ----- Original message -----
> From: Nathan Rixham <nrixham@xxxxxxxxx>
> To: tedd <tedd@xxxxxxxxxxxx>
> Date: Thursday, August 19, 2010, 12:03:12 PM
> Subject: Re: How safe is a .htaccess file?
>
> tedd wrote:
>> Hi gang:
>>
>> The subject line says it all.
>>
>> How secure is a .htaccess file to store passwords and other sensitive
>> stuff?
>>
>> Can a .htaccess file be viewed remotely?
>
> Semi-safe,
>
> .htaccess is prevented from being served by configuration options (which
> come as default), however these can be overwritten so best to check by
> doing a GET on the resource URI.
>
> This doesn't prevent them from being exposed via other processes though,
> for instance a poorly coded 'download.php?path=/path/to/.htaccess' could
> still expose the file.
>
> Typically, its obviously better to store only a hash of a password
> rather than the pass in plain text, choosing the strongest algorithm you
> can; password security is of course relative though, a sha-512 of
> 'password1' is far from secure.
>
> A good way to approach encryption for files is to openssl_seal them
> using a public key which is only available to your application - this
> doesn't negate insecure code, but it at least ensures the raw files are
> encrypted securely enough to negate any of these worries. (just keep
> your private key safe, preferably in a pkcs12 w/a strong 64char+ pass)
>
> Best,
>
> Nathan
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
Hi Nathan,
I'm not a crypto expert.. but I'll try to explain it:
The weakness of MD5 is mainly because MD5 collisions are possible.
That means, that different strings can have the same MD5-hash...
When you use "test" as a secret password, then no hashing algorythm at
can be considered as "safe". The first two passwords a cracker will
try might be "1234" and "test".. No big deal.
Databases of MD5-hashes exists. And so can exist Databases of SHA-*
hashes. To get around these databases you can just "salt" your hash..
that way the Hash of the word "test" will not be the same as the hash
in the database without *your* salt. No matter if you use MD5 or
SHA256
$ echo -ne test | md5sum
098f6bcd4621d373cade4e832627b4f6 -
$ echo -ne test-mySecretSalt | md5sum
c62fb41567c476e36ba46e5b53ae6d59 -
Only the first string will be available in a hash-database.
So you see - as long as a cracker only get's your salted hashes
WITHOUT the used salt, it's pretty safe.. as long as you don't think
about ignore collisions!
Back to topic:
- as mentioned before the biggest risk in authentication via .ht*
files is that one can try to get these files via a bug in an
application.. (e.g. ?read_file=.htaccess%00)
- that's why you don't want to use plain text-passwords in .htaccess
files. most used is the htdigest algorythm. Be sure to use a STRONG
password: long string with letter, numbers and more chars.
- if you're curious, get a copy of "John the Ripper password cracker"
and try to decode your passwords.. that's what the bad guys use once
they get your .htaccess file.
Regards
Regards
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
