|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Security-Discuss] Possible PHP hole in Perl?
From: Ronald Ip (myself
iphoting.com)
Date: Tue Jun 15 2004 - 12:17:21 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Tue, 2004-06-15 at 08:48, Matt Parker wrote:
> On Tue, 2004-06-15 at 01:21, Bob PuffNLE wrote:
> > Hello Ronald,
> >
> > At least in Mdk 8.2 and up, if you installed Apache and Apache-mod_perl, the Apache-mod_perl would
> > answer on port 8200. I've got an app that runs in perl, and it runs much faster under the apache
> > mod_perl server. Good stuff.
> >
> > Now here's the problem: let's say you have a php file that accesses a database. Within the php
> > file, you put the username/password for the database. Normally, a user would never see this code,
> > as it is executed by the php processor called from Apache. Let's say your file is called test.php.
> > So if you browse: http://yourserver/test.php, you'll see the rendered page. However, if you
> > browse http://yourserver:8200/test.php, it triggers a download of the actual (unrendered) php file,
> > comments and all. Normally, one would not try to access a php file via the apache mod_perl, but I
> > just tried doing it on a bunch of machines here, and it does the above on all of them.
> >
> > This could be a huge security leak. I know at least for my scripts, it will reveal sql passwords,
> > and certain file paths.
> >
> > For now, I've disabled the port 8200 on those sites. But there must be some simple fix.
> >
> > Bob
>
> I'm a Java programmer rather than a PHP programmer, but if you're
> putting sensitive information in your scripts then you are doing
> something badly wrong. I would consider it a security hole just to have
> it in there.
>
True; but many are lazy or just find it too troublesome or inconvenient.
> Say for example your set-up was working perfectly, but then a new
> exploit was found and before you had time to patch, someone got the raw
> script file. The damage is twice as bad if usernames/passwords are in
> there.
>
Agree.
> I don't know what alternative there is in PHP, but in Java you can put
> that stuff in a config file that is not available in the normal download
> path and it is encrypted in there as well.
>
It's possible for PHP too. Just ensure that the file, e.g. pass.php is
not in the Apache doc root, /var/php_secret/, but accessible to the user
apache.
Then, you can do a require_once("/var/php_secret/pass.php");
But still, if you have other weak php scripts which allow shell_exec();
by remote users, you'd better do something about it.
Ronald
--
Ronald Ip myselfiphoting.com
gpg public key http://iphoting.iphoting.com/iphoting.asc
Fingerprint: {6A7E AB1E A822 E621 4DEC 11C4 F355 0635 71D7 1151}
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQBAzy8g81UGNXHXEVERArOSAJ9ajl1gR95nYGFyjt87tvdtCk2pUQCdFzU2
bek7DoXYWft4CY2iUB/1yLM=
=qbRA
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]