|
|
Posted by Kresimir Cosic on 10/04/76 11:10
Hi!
I am running a website on server where I am not administrator, and
there are other users of the same machine. The machine is linux
running Apache. The website is written in PHP.
The problem is that, in order for PHP to be able to access *.php
files, the files must in a directory with execute permission, and
files themselves must have read permission. This makes my files open
to reading by anyone, that is, anyone can look at my PHP source
code, which I do not want.
The best I can do about it is to put those files in a directory with
execute, but without read permission, that way the potential hacker
can not know the names of my files, but he may be able to guess
them! This is the first and most benign problem, but all following
problems are more serious and have the same basis.
The website accesses mysql database, and PHP script caches some
information into a cache.txt file. Since this PHP script must write
to this file, the file has write permission. So, a potential hacher
can write to cache file and make my website display errorneus
information, or maybe even completely disable website.
The third problem is most severe. The PHP scripts from website
connect to my mysql database. For security reasons database accepts
only connections through local socket file. Again, the permissions
are such that, if PHP script can access it, so can potential hacker,
and he can also read password from PHP source, so a hacker has no
trouble bringing my whole database down (well, he can not do that
because of database access privileges, but he could do lot of damage
knowing all this).
Please help!
Additional information (if that helps):
The website is located in directory home/vriho/public_html/
The mysql database is in home/vriho/db/mysql/ (not shared to other
users)
The local socket file for mysql is at home/vriho/db/socket/
The parts of website that are "hidden", including the cache file are
at directory home/vriho/public_html/parts/
Navigation:
[Reply to this message]
|