Need Security Advice Fast

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
charp
Forum Commoner
Posts: 85
Joined: Sun Oct 26, 2003 3:00 pm
Location: Rancho Cucamonga, Calif. USA

Need Security Advice Fast

Post by charp »

I know that I'm doing this backwards by posting first and searching later, but I need help on this issue fast. Please accept my apologies.

Here's my situation. I just learned that a student at my high school has hacked my passwords for the school's web site (I'm a staff member and the webmaster) and I need to plug these security holes ASAP. The word is that my .htaccess passwords were hacked with a tool called "John XXX XXXXXX" [I won't print the actual name of the program just to be safe] and that he may have hacked his way into some passwords in my PHP files.

I know this is a PHP forum, but if anyone could point me to a good resource for securing my htaccess files, I'd really appreciate it. As for the security of my PHP files, I'll describe how I have things set up and hopefully some of you experts can comment and help me increase security. Thanks in advance.

All of the passwords I use in PHP are located in a configuration file stored outside the public_html directory of our web site, which is on a shared hosting account. Pages inside the public_html directory call for this file by use of an include statement. The configuration file contains the database and table names, login name, and password.

Okay, just how vulnerable am I? And how do I improve the security?
Sphen001
Forum Contributor
Posts: 107
Joined: Thu Mar 10, 2005 12:24 pm
Location: Land of the Beaver

Post by Sphen001 »

Hi,

Well, the good news is that your setup is pretty secure already. The first thing you do with a hacking is change every password you have. Make them something completely different. The usual advice, is a mixture of letters and numbers, upper and lower case, and don't repeat passwords. Second, unless the student got access to the actual machine the PHP files are on, it's unlikely they got those passwords. Third, in the Apache conf file, there is a swtting that prevents .htaccess and .htpasswd files from being viewed. I don't know what it is called or what the value is, but you should check your conf file against a new one to make sure they match. This should help your security. Also, go through the web directory and make sure you can identify every file.

I hope this helps :D

Sphen001
User avatar
hanji
Forum Commoner
Posts: 46
Joined: Fri Apr 29, 2005 3:23 pm

Post by hanji »

Hello

How did the attack happen? Did he get the contents from .htpasswd via the browser, or did he have FTP, etc. to access them? Does the attacker have access to any directories? Does the attacker have access to write PHP scripts on the server? I think starting with his entry/access options is the first step to securing the box. Is the box windows or linux?

Thanks
hanji
User avatar
charp
Forum Commoner
Posts: 85
Joined: Sun Oct 26, 2003 3:00 pm
Location: Rancho Cucamonga, Calif. USA

Post by charp »

hanji,

After some research elsewhere, I believe I know how this happened. First off, the site is hosted on a shared server (private hosting, not school related) and all the students have been assigned an FTP account to their own subdirectories. As I now understand, it is possible to use PHP to read the contents of files -- including .htaccess files and other php files -- even though the FTP account doesn't allow access outside the specific subdirectory. The problem is that the posted files have rights to read all other files on the site, including files outside the public_html directory.

With the FTP access, the student could have viewed the encrypted .htaccess password and cracked it offline. Apparently, my use of a common dictionary word made the cracking relatively easy. Since then, I have made use of *strong* passwords.

There doesn't seem to be much that I can do about this situation that doesn't involve a drastic change in the way I teach my course. In the future, I will move all my critical files to another site and restrict the class site to simply hosting student projects. For now, that's a workable solution.
Post Reply