John -
This is common practice in PHP - it isn't the best way to do things, but it is
common.
If you can't get application changes made to better protect the authentication
information, at least make sure the include files aren't readable by the
world. It is common for developers to use some alternate file extension, such
as INC, and then forget to map it to php in the Apache config file - thus, an
attacker can often read the file by simply requesting it. The only "defense"
is the obscurity of the filename. A simply script can make repeated requests
with variations on the filename. (ie, in your browser, try
http://<site>/<filename.inc> and see if it dump the source to the browser.)
In the httpd.conf - make sure you have a line like:
AddType application/x-httpd-php .inc
This will cause apache to run the .inc file through the PHP interpreter rather
than returning the text back to the browser.
Another method I strongly encourage is to use the excellent mod_security
package (http://www.modsecurity.org) and use it's filtering engine to block
requests for such files - after all, since they are only includes, they should
never be requested directly.
Of course, one should also get the code updated and have it read and encrypted
file and decrypt the credentials.
Gerald Quakenbush
Author of 'Web Hacker Boot Camp'
http://www.quakenbush.com
John Madden (chiwawa999@yahoo.com) wrote:
Hi,
First off i'm not a PHP programmer but I would like to
know the following:
Is it standard to use INC files to store MYSQL db
connections settings (username and password)?
What else could you do to make this "safer" ?
I presume Apache looks for files with extention
"*.INC" and does not processes them, right ?
Thanks you
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
-------------------------------------------------------------------------
Sponsored by: Watchfire
Watchfire named worldwide market share leader in web application security
assessment by leading market research firm. Watchfire's AppScan is the
industry's first and leading web application security testing suite, and
the only solution to provide comprehensive remediation tasks at every
level of the application. See for yourself.
Download a Free Trial of AppScan 6.0 today!
https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c
--------------------------------------------------------------------------
-------------------------------------------------------------------------
Sponsored by: Watchfire
Watchfire named worldwide market share leader in web application security
assessment by leading market research firm. Watchfire's AppScan is the
industry's first and leading web application security testing suite, and
the only solution to provide comprehensive remediation tasks at every
level of the application. See for yourself.
Download a Free Trial of AppScan 6.0 today!
https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c
--------------------------------------------------------------------------
