Network Security: Detailed info on RE: Deny Access To configuration file using php scripts

Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.

Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.

Network Security Focus-Linux

[Top] [All Lists]

RE: Deny Access To configuration file using php scripts

from [Tosoni] Network Security

[Permanent Link]

Subject:	RE: Deny Access To configuration file using php scripts
Date:	Tue, 1 Mar 2005 21:13:16 +-100

Three-folded approach:
1) the config file must be owned by 'nobody' and readable only by 'nobody'. 
This takes care of the shell accounts.

2) use php safe_mode, this takes care of direct file access

3) specify a PHP safe_mode_exec_dir which will contain the bare minimum safe 
executables (dont put 'cat' inside, or replace it by a version which refuses to 
cat sensitive info). This directory and its parents must not be writeable by 
your users.

I suggest that you remove shell accounts to the bad guys as a punishment...

From raT on march 1, 2005:
the first thing they do is a
system ('cat /var/www/path to config file');
inside a php script

my problem is to deny this file from being read throu the script since
the apache deamon runs as nobody
and it has to have read permision to the configuration file.

my users have shell acount and can create files in the public_html folder.

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
Deny Access To configuration file using php scripts, raT Re: Deny Access To configuration file using php scripts, David Morel Re: Deny Access To configuration file using php scripts, Marcel Prisi Re: Deny Access To configuration file using php scripts, Bruce Garlock Re: Deny Access To configuration file using php scripts, Josh Sholes Re: Deny Access To configuration file using php scripts, Suramya Tomar Re: Deny Access To configuration file using php scripts, Jan Urbancik Re: Deny Access To configuration file using php scripts, Joachim Schipper RE: Deny Access To configuration file using php scripts, Brent Meshier Re: Deny Access To configuration file using php scripts, Igor Plisco RE: Deny Access To configuration file using php scripts, Tosoni <= RE: Deny Access To configuration file using php scripts, Scott Fagg RE: Deny Access To configuration file using php scripts, administrator Message not available Re: Deny Access To configuration file using php scripts, Server Administration Re: Deny Access To configuration file using php scripts, Mohammed Salih Re: Deny Access To configuration file using php scripts, Anton Titov Re: Deny Access To configuration file using php scripts, John Georgelas Re: Deny Access To configuration file using php scripts, Suramya Tomar

Previous by Date:	Re: Deny Access To configuration file using php scripts, Joachim Schipper
Next by Date:	RE: Deny Access To configuration file using php scripts, Brent Meshier
Previous by Thread:	Re: Deny Access To configuration file using php scripts, Igor Plisco
Next by Thread:	RE: Deny Access To configuration file using php scripts, Scott Fagg
Indexes:	[Date] [Thread] [Top] [All Lists]