Tweet
Folks,
This is such a simple security issue, I'm surprised it even exist.
There is, in my mind, a huge security issue for folks running forum software such as vB or phpbb on these shared servers. It has to do with the config.php file and your host not knowing what the heck they are doing.
They have the permissions configured improperly, where they allow "all" read and eXecute permission on this file.
So, what does this mean to you? It means you can do a "locate config.php" and see all the copies across everyone's home directory. At that point, you can cd to that directory and READ the config.php file.
Of course, once you have read it, your able to get the dbname and dbpassword that is configured for MySQL.
Once you have this data, feel free to use mysqldump to dump the data base, change it, etc.
Check with your host, your config.php file SHOULD NOT be world/all readable. It should be RWX for you, and R for whatever user runs apache (on RedHat, it is the apache user). No reason to have world/all permissions on this file. At least none that I am aware of! ;-)
Perhaps someone with more security experience can figure out how to better protect this file then having it chown user:apache and chmod 750.
Two LARGE shared providers are vulnerable to this, to check if yours is, do a:
[cara@s1 cara]$ locate config.php
/www/html/fn/vb/admin/config.php
[cara@s1 cara]$
<note user Cara can read that directory, which isn't hers>
[cara@s1 cara]$ ls -l /www/html/fn/vb/admin/config.php
-rwxr-xr-x 1 tjk tjk 1017 Jan 24 21:50 /www/html/fn/vb/admin/config.php
[cara@s1 cara]$
<ok, the file is user/group tjk, but has RX permissions for All>
[cara@s1 cara]$ cat /www/html/fn/vb/admin/config.php
<?php
/////////////////////////////////////////////////////////////
// Please note that if you get any errors when connecting, //
// that you will need to email your host as we cannot tell //
// you what your specific values are supposed to be //
/////////////////////////////////////////////////////////////
// type of database running
// (only mysql is supported at the moment)
$dbservertype="mysql";
// hostname or ip of server
$servername="localhost";
// username and password to log onto db server
$dbusername="vb";
$dbpassword="vb";
// name of database
$dbname="vb";
// technical email address - any error messages will be emailed here
$technicalemail = "blah blah blah to protect the innocent";
// use persistant connections to the database
// 0 = don't use
// 1 = use
$usepconnect = 0;
// which users are allowed to view the admin log
// separate each userid with a comma
$canviewadminlog = "1";
// which users are allowed to prune the admin log
// separate each userid with a comma
$canpruneadminlog = "";
?>
[cara@s1 cara]$
<great, cara now has my db name and my db password! what can they do with it? Hopefully I'm smart enough to not use my dbpassword as my admin login, etc>
[cara@s1 cara]$ mysql dump -uvb -pvb vb > test.dump
[cara@s1 cara]$ ls -l test.dump
-rw-rw-r-- 1 cara cara 4587 Jan 28 13:09 test.dump
[cara@s1 cara]$
<hmm, they were able to dump it...not good>
You get the point from here.
Check your server/configuration!
Tom
This is such a simple security issue, I'm surprised it even exist.
There is, in my mind, a huge security issue for folks running forum software such as vB or phpbb on these shared servers. It has to do with the config.php file and your host not knowing what the heck they are doing.
They have the permissions configured improperly, where they allow "all" read and eXecute permission on this file.
So, what does this mean to you? It means you can do a "locate config.php" and see all the copies across everyone's home directory. At that point, you can cd to that directory and READ the config.php file.
Of course, once you have read it, your able to get the dbname and dbpassword that is configured for MySQL.
Once you have this data, feel free to use mysqldump to dump the data base, change it, etc.
Check with your host, your config.php file SHOULD NOT be world/all readable. It should be RWX for you, and R for whatever user runs apache (on RedHat, it is the apache user). No reason to have world/all permissions on this file. At least none that I am aware of! ;-)
Perhaps someone with more security experience can figure out how to better protect this file then having it chown user:apache and chmod 750.
Two LARGE shared providers are vulnerable to this, to check if yours is, do a:
[cara@s1 cara]$ locate config.php
/www/html/fn/vb/admin/config.php
[cara@s1 cara]$
<note user Cara can read that directory, which isn't hers>
[cara@s1 cara]$ ls -l /www/html/fn/vb/admin/config.php
-rwxr-xr-x 1 tjk tjk 1017 Jan 24 21:50 /www/html/fn/vb/admin/config.php
[cara@s1 cara]$
<ok, the file is user/group tjk, but has RX permissions for All>
[cara@s1 cara]$ cat /www/html/fn/vb/admin/config.php
<?php
/////////////////////////////////////////////////////////////
// Please note that if you get any errors when connecting, //
// that you will need to email your host as we cannot tell //
// you what your specific values are supposed to be //
/////////////////////////////////////////////////////////////
// type of database running
// (only mysql is supported at the moment)
$dbservertype="mysql";
// hostname or ip of server
$servername="localhost";
// username and password to log onto db server
$dbusername="vb";
$dbpassword="vb";
// name of database
$dbname="vb";
// technical email address - any error messages will be emailed here
$technicalemail = "blah blah blah to protect the innocent";
// use persistant connections to the database
// 0 = don't use
// 1 = use
$usepconnect = 0;
// which users are allowed to view the admin log
// separate each userid with a comma
$canviewadminlog = "1";
// which users are allowed to prune the admin log
// separate each userid with a comma
$canpruneadminlog = "";
?>
[cara@s1 cara]$
<great, cara now has my db name and my db password! what can they do with it? Hopefully I'm smart enough to not use my dbpassword as my admin login, etc>
[cara@s1 cara]$ mysql dump -uvb -pvb vb > test.dump
[cara@s1 cara]$ ls -l test.dump
-rw-rw-r-- 1 cara cara 4587 Jan 28 13:09 test.dump
[cara@s1 cara]$
<hmm, they were able to dump it...not good>
You get the point from here.
Check your server/configuration!
Tom
Comment