RE: [cobalt-security] PHP security problem with Cobalt structure of file system

["Chris Weiss" <chris@xxxxxxxxxxxxx>]

If you can, use LDAP.

Have the user login using LDAP authentication.  Use LDAP to store the true
username and password for the database, read the database password in from
the script, and use this second layer to access your database.

Usernames and passwords should *NEVER* be embedded in scripts :)

I have used this LDAP trick, and it is very effective.

If your users are not logging in directly, you can block external access to
your LDAP port and restrict it to loopback addresses while still using your
script to retrieve the username and password.  You can also store the
password in an encrypted file using something like Blowfish and have the
script decrypt it when needed (blowfish is very fast).

Later,
Chris

-----Original Message-----
From: cobalt-security-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-security-admin@xxxxxxxxxxxxxxx]On Behalf Of Fabian Lucchi
Sent: Monday, September 11, 2000 10:24 AM
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: [cobalt-security] PHP security problem with Cobalt structure of
file system


I've been reported the following problem :

A Cobalt where PHP3 is installed has big problems with sensitive
information. Let's take a domain, www.test.com, which has a MySQL Database
called "MyDB". If we have to access that database from a PHP script, the
username/password has to be stored in that script, somewhere. And if another
customer use some PHP code to read files on the system, he could issue a
command like :

readfile("/home/sites/www.test.com/web/index.php3")

and thus see the password used to manage & access the database. Not very
fair... The file will be shown as the user httpd can read all files on
/home/sites/*/web

What can we do against this ?

Fabian


_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security