Posted by Dikkie Dik on 04/29/06 14:04

> Many PHP packages and cgi scripts ask you to store database settings
> and passwords in web space.

I did not encounter them. And if you DO encounter them, you can always
let those pages call a script outside the web root. And off course you
should. The web root is PUBLIC space. So, anything you put in there is
publicly available. Things that should not be publicly available should
be kept out of there. Period.

>
> Of course, it's secure, so long as configuration files are given
> a [.php|.cgi] extension, right?
>
> Wrong.
Wrong indeed. Alas there are ways for a hacker to get to the source
sometimes.

> I think most of us have seen misconfigured web servers that send the
> contents of PHP files rather then running them through an interpreter
> at some point. A .php extension does not give a configuration file
> security. I've seen this happen many times as I'm sure anyone here has.
>
> Time was, all the CGI programming FAQ's would warn you about this, they would
> tell you, always make sure passwords and critical pieces of information are
> kept safely outside web space. This "old timer" advice still applies.
>
> The general rule was, if you don't want it sent to the browser, don't put it on
> the web server. (meaning, in "web space")
>
> Don't protect something with an .htaccess file.
>
> Don't protect something with a .php|.cgi or .whatever
>
> Just don't put critical bits of data on the web server. (unless you
> have no choice)
>
> But.. not any more, we've forgotten this ancient advice.
>
> We now routinely ask people to edit some sort of .php file for database
> settings and save it in the same directory as the script running it. It's
> common practice, heck I've done it a few times.... From what I gather,
> PHP's so called "safe mode" (isn't that a kick in the teeth) demands
> you do this.
>
> It's convenient, it's what users have come to expect.
>
> But... it is not secure.
>
> We have home directories for this sort of thing and just I wish we'd get back
> to the old practice of using them for their intended purpose before ISP's start
> making a persons home directory the same as the web directory.
>
> There. rant over. Sorry.. had to say it, I don't expect anyone to actually
> listen to it or anything, people seldom do.
>
> You may go back to storing all your critical database settings in web space
> now. :-)

My web root still has some settings.php. I had to, as my development
environment and my provider's environment differ too much. Off course,
all it does it correct the right settings that it digs up from a deeper,
"require"d file outside the web space (both live and on development).

Thanks for the warning. Take a glass of water, cool down from your rant
and have a nice weekend.

[Back to original message]