Markie
Posts: 251
|
| Posted: 01/22/2009, 10:30 AM |
|
The last days we all could see the danger of SQL injection, which seems to have happened to this forums. This caused me to think a little bit more about the security of my web apps., made with CCS.
Question: how secure is Common.php, as in this file the username and pwd of the MySQL dbase are in plain text. I can only imagine what happens if the contents of this file gets in unprivileged hands. Is it a very secure file ? Is it wise to store Common.php in a different folder which is protected with .htaccess for example ?
_________________
The Netherlands, GMT+1
Tools: CCS 5.1, Windows 7, Navicat, Ultraedit
Local server: XAMPP with Apache, php and MySQL
Webserver: Windows 2008 IIS 7, php and MySQL |
 |
 |
DonP
|
| Posted: 01/22/2009, 10:52 AM |
|
I have been concerned about this too since I first started using
CodeCharge Studio and have asked YesSoftware many times to add a
facility for putting all the common files into their own folder. It can
be done manually but it's a real pain and usually reverts when regenerated.
Yes' answer was that no one can open the php file directly in a browser
to view it, which may be true, but NOTHING is there to stop any Web
spider from listing its contents elsewhere.
If Yes is reading this, NOW is the time to take action as it is a
serious security breach making all these files so easily accessible, not
to mention the mess it makes of good site housekeeping. Most of my
customers complain of having so much in the root folder when only the
index file should be there. This needs to be done in both v3.x and 4.x.
Don (DonP)
Markie wrote:
> The last days we all could see the danger of SQL injection, which seems to have
> happened to this forums. This caused me to think a little bit more about the
> security of my web apps., made with CCS.
>
> Question: how secure is Common.php, as in this file the username and pwd of the
> MySQL dbase are in plain text. I can only imagine what happens if the contents
> of this file gets in unprivileged hands. Is it a very secure file ? Is it wise
> to store Common.php in a different folder which is protected with .htaccess for
> example ?
> _________________
> The Netherlands, GMT+1
> Tools: CCS 4.1.00.027, Win XP, Navicat, PSPad
> Local server: XAMPP with Apache, php and MySQL
> Webserver: Ubuntu with Apache, php and MySQL
> ---------------------------------------
> Sent from YesSoftware forum
> http://forums.yessoftware.com/
>
|
|
|
|
datadoit
|
| Posted: 01/22/2009, 12:22 PM |
|
You can use .htaccess to protect your root folder the same way you can
protect any sub folders.
But yes, I agree that the ability to be able to control the destination
of the CCS includes would be fabuloso. They're includes, so it makes
sense they should reside in an /includes directory.
Just think about the nicety of being able to place them in a web root
somewhere to be shared amongst several projects. We're using the same
connections, the same CVS's, the same styles, etc. etc. for several
projects. Wouldn't it be nice to use ONE set of includes?
/var/www/html/includes/
/var/www/html/project1.com/
/var/www/html/project2.com/
|
|
|
|
damian
Posts: 838
|
| Posted: 01/22/2009, 6:17 PM |
|
no spider can read the php file either
php files are not read by ANY device visiting your website over the https or https protocols
the server reads the file and performs whatever actions are pecified in the page and delivers to the browser what you are supposed to see and only what you are supposed to see (if you code it right!)
do not allow directory browsing and make sure you have good username/password security on your ftp users and any management accounts
the whole reason it is installed in the common.php file IS for security
_________________
if you found this post useful take the time to help someone else.... :)
|
|
|
|
damian
Posts: 838
|
| Posted: 01/22/2009, 6:22 PM |
|
only a spider running on the local machine and reading the file system can open these files and list their textual content - a spider that comes from a remote host sees what you see - no matter how determined it is
_________________
if you found this post useful take the time to help someone else.... :)
|
|
|
|
ckroon
Posts: 869
|
| Posted: 01/22/2009, 6:25 PM |
|
Thanks for the info Damian.
I figured as much.. if Spiders could grab the common.php file.. no PHP site would EVER be safe.
_________________
Walter Kempees...you are dearly missed. |
|
|
|
asongo
Posts: 19
|
| Posted: 01/22/2009, 6:46 PM |
|
I used ionCube to obfuscate the source code.
_________________
PHP 4.4x ,MySQL 4.0x
Kaohsiung,Taiwan |
|
|
|
damian
Posts: 838
|
| Posted: 01/22/2009, 9:13 PM |
|
that protects it from your customers eyes too!
_________________
if you found this post useful take the time to help someone else.... :)
|
|
|
|
thomasbjo
Posts: 43
|
| Posted: 01/24/2009, 4:39 AM |
|
Still it is a good idea to use Ioncube to obfuscate the source code. You could gather the conection data in a seperate file like config.php etc and obfuscate Common.php and the other common files.
Leaving the "Events" files open will still give the customers a lot to play with. The include protection is also an asset. Works for me anyway. And you can leave the files you like (or the customer) open.
_________________
"I know a 100 ways on how it does not work"
http://bjoernvold.com |
|
|
|
feha
Posts: 712
|
| Posted: 01/25/2009, 5:04 AM |
|
I also suggested that language files reside outside of root.
When using man it creates the mess!
If i want to use mod-rewrite it does not work properly ...
example
http://somedomain/en/about/
the "en" makes a problem cause the file en.txt exists ...
those it can not be used properly example ?lang=en ...
This request was put several years ago ...
as in .htaccess
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
Means if file or directory does not exist ... 
Also include files first should check for some defined constants before run.
_________________
Regards
feha
www.vision.to
feedpixel.com |
|
|
|
RonB
Posts: 228
|
| Posted: 01/25/2009, 11:57 PM |
|
Why not recreate the directory structure on your webserver inside your project:
dir on webserver: var/www/html/sitedata
in project create a map html and put al pages in there. Now you have Common files outside the site.
Wouldn't that work?
Ron
|
|
|
|
melvyn
Posts: 333
|
| Posted: 01/26/2009, 3:59 PM |
|
Take care regardig mod_rewrite and so on.
Watching this post I tried google with some keywords, and got this page:
http://mjandersen.com/ibmopps/login
http://mjandersen.com/ibmopps/Common
http://mjandersen.com/ibmopps/
It appears to be a rookie user testing, and so I remember my first projects when I didn't use a folder for html templates. When you left html and php in the same folder and there's a login.php if the user try http://yoursite.com/login it launch the login.html wich usually have priority over the login.php
Maybe I'm speaking trash here, it deserves a look.
Mel
_________________
Melvyn Perez
Puro Codigo
http://purocodigo.com |
|
|
|
feha
Posts: 712
|
| Posted: 01/26/2009, 4:20 PM |
|
wow, this guy seems to have messed up very much with mod_rewrite 
there is a problem also on server settings ...
he should put an priority order for index ...
<IfModule mod_dir.c>
DirectoryIndex index.php index.html index.htm
</IfModule>
and perhaps there are some wrong parameters how to handle file extensions ,,
never seen anything like this ...
_________________
Regards
feha
www.vision.to
feedpixel.com |
|
|
|
melvyn
Posts: 333
|
| Posted: 01/26/2009, 4:48 PM |
|
Indeed!
There's another thing around that guy: he appear to test CCS on January 8, 2006... more than 3 years ago!!! and the testing code remains there.
So we can see how security issues goes so far...
_________________
Melvyn Perez
Puro Codigo
http://purocodigo.com |
|
|
|
melvyn
Posts: 333
|
| Posted: 01/26/2009, 4:56 PM |
|
Quote feha:
(...)
never seen anything like this ...
There's always a first time feha, always.
_________________
Melvyn Perez
Puro Codigo
http://purocodigo.com |
|
|
|
