Page 1 of 2

How some people can actually see the php source of i page!

Posted: Fri Jan 31, 2003 2:42 pm
by Nik
Someone seen my php source for http://www.nikolas.tk and i dont know how he did it! sounds crazy! is there a tol for that?

Posted: Fri Jan 31, 2003 2:47 pm
by evilcoder
yes it is very possible. Source viewers are readily available and seriously compromise security if you have files which display passwords etc etc.

Posted: Fri Jan 31, 2003 2:55 pm
by Stoker
Most common mistakes is to not proctect web access to files you include and such, anc if its filename is not .php it will be shown as plain text...

Another way is other users on the same shared-host can peek in any of your files that are world readable..

Exploits/vulnerabilities (poorly secured) scripts on the server may let someone peek in your files, it doesn't have to be scripts on your account/webspace, any on the same server..

Are there any other ways to hack to make apache not process as php? If so I would guess that should be considered a flaw in PHP or Apache?

Posted: Fri Jan 31, 2003 3:09 pm
by Nik
i see! EvilCoder i have my mysql pass inside my php script in order to connect to my mysql databse!

Can u pls tell me the best php source viewer tool?

Posted: Fri Jan 31, 2003 3:28 pm
by evilcoder
i dont actually know of any myself, but a guy on my MSN viewed my PHP source once and laughed at my copyright notice, i'll ask him what he uses.

I would say the best way to prevent password theft is to create a new .php file called:

db.inc.php

and inside it have $user = "username", $pass = "pass", then save that in a non HTTP accessible dir, for example, below /www folder. Then include it onto your pages. include( "/full/path/db.inc.php" ) and inside your mysql connection just use the variables.

That way if someone looks at your source, they will see the include and the variables $pass and $user, but no actual info.

Posted: Fri Jan 31, 2003 3:37 pm
by McGruff
storing passwords in encrypted format will help: then use variable name cookies to help prevent spoofing

Posted: Fri Jan 31, 2003 3:55 pm
by puckeye
McGruff wrote:storing passwords in encrypted format will help: then use variable name cookies to help prevent spoofing
I'd be very interested in this, could you show me some sample encryption code? I'm especially interested in encrypting my database access variables...

Thanks

Posted: Fri Jan 31, 2003 4:15 pm
by McGruff
Check out the php manual for how the encryption functions work (php.net).

Here's a couple of functions which process data from a login form and set a (time limited) cookie. There is a table called auth where names and passwords are stored. When a password is created, the password itself is used as the salt for crypt(). Even the database admin can't read the un-encrypted passwords.

Other functions (not listed here) would look for the cookie to decide if authorisation for such-and-such will be granted.

You could create randomly variable name cookies, store the cookie name in the auth table and delete it at logout: this makes it impossible to spoof cookies (I think) since the hacker never knows what the name will be - even if he CAN read your source code.

You could also improve things by checking against current IP in a similar way (ie storing current IP in the table) but still allow login from multiple machines by overwriting each time. I guess that would block a hacker who had sniffed a current, valid cookie. Even if he did, and there was no IP check to block the same cookie submitted from different machines, his spoofed cookie won't work after admin has logged out and destroyed the cookie (it's deleted from the auth table at logout and so no longer listed as a valid cookie).

[EDIT: I've just realised that if a hacker sniffs a cookie with a randomly variable name, he can get the encrypted pass then try to crack it offline. Although he can't (I think) spoof a randomly named cookie, with the real pass he can log on anytime to get a valid one. Randomly variable names might not be the answer. Oooh my head hurts.]

This is the first login script I've written so use it as a starting point not an authoritative guide. I haven't looked at sessions yet for example.

function login() {
unset($name, $user_pass);
$name = $_POST['name'];
$user_pass = $_POST['user_pass'];

$mysql = "SELECT * FROM auth where name='$name'";
$query = mysql_query($mysql) or die("Cannot query the database.<br>" . mysql_error());
$result = mysql_fetch_array($query);
$pass = $result['pass'];

IF (($user_pass = crypt($user_pass, $pass)) == $pass) { #don't forget to create pass's by salting with the pass
$value = "$user_pass";
/* NB: following line blocks cookie because it initiates page output!! Duh!! */
#echo "value is $value<p>";
setcookie("ooRU", $value, time()+7200); #cookie expires in 2 hrs
#echo '<A HREF="../../nav.php?page=admin_main">Cookie set now click.</A>';
header("Location: http://".$_SERVER['HTTP_HOST']."/"."/mcos_project/html/nav.php?page=admin") ;

} ELSE {
echo 'Password not recognised<p>';
echo '<A HREF="nav.php?page=admin_login">Try again.</A> | <A HREF="index.php">Home</A>';
}
}
function logout() {
//set the cookie expiration to -7200??
setcookie("ooRU", $value, time()-7200);
echo "You have now logged out.<p>";
echo '<A HREF="index.php">Home</A> | <A HREF="admin.php">/admin.php link - Can I open admin main logged out?</A>';
}

Posted: Fri Jan 31, 2003 4:23 pm
by evilcoder
thats very interesting Gruff, i'll definately be looking into that! thank for the enlightenment.

Posted: Fri Jan 31, 2003 4:36 pm
by McGruff
Ooops ranting on about login when you want some ideas about database access variables.. I don't know any way to connect except by putting the un-encrypted strings in the php script.

I THINK you would create an anonymous database user OTHER than the root user, and use those settings in your scripts. That way ordinary users don't get root access.

Oh, and you probably don't want to use your database root user password for admin access to the php site. Anyone who sniffed an admin cookie for example, even if the pass in the cookie is encrypted, could possibly crack it at leisure offline and so get root acess to your database. Mind you, with full admin privileges for your php site, there might not be much difference in the damage they could do.

Anyone?

Posted: Fri Jan 31, 2003 4:47 pm
by evilcoder
i personally have a class which handles connections to all my databases, and i keep that file out of HTTP access, then just call the functions in what page needs database connections.

I find that a nice way to do it, but other may disagree, as some do.

Posted: Sat Feb 01, 2003 5:38 am
by Nik
i dont actually know of any myself, but a guy on my MSN viewed my PHP source once and laughed at my copyright notice, i'll ask him what he uses.

pls dont forget to tell us when u find out man! ;)

Thanks!

Posted: Sat Feb 01, 2003 5:45 am
by Harley
Isn't there a program that encrypts the php files? I have seen one for html and I thought php also.... no? I will look for it again.

Posted: Sat Feb 01, 2003 5:54 am
by lazy_yogi
I'd be interested in that ?

where can u find one for html though ? .. I'd like that too

Posted: Sat Feb 01, 2003 11:18 am
by Stoker
any reversable encryption used in world-readable files doesn't really secure anything, just slows down the process and possibly prohibits some scriptkiddies from finding the login information..

I don't know much about it, but Zend has a commercial product to encode PHP code, I assume this would help quite a bit..

Myself I think for most things it is sufficient to run scripts SuExec as your own users and make all files with sensitive info private (and ofcourse never in the web accessible area).. Things like CC num and other sensitive info like SSN's should not be stored with server-reversible encryption, instead use GnuPG (or PGP or S/Mime etc)...