lolAmbush Commander wrote:::Puts on Tin Foil Hat::
too late, they've already got you...and me
Moderator: General Moderators
It depends on what you mean by a cracker "having access to your server". If you mean he can read some files, but not all, then you'll need to specify which.Pyrite wrote:I did read it, and it seems it is focused on remote exploits. I am concerned about a cracker having access to my server, through whatever means and viewing my config.php to find the db credentials and viewing my database. Has nothing to do with remote exploits.
Yes, windows does, sortof. (Long story to that - it involves the /etc/hosts file, and the windows update mechanism).Pyrite wrote: The fact of the matter is, my db credentials are sitting there on my server in a plain text file. That is not good! Even Windows doesn't do that.
Code: Select all
// The Database Parameters
$dbhost = "192.168.23.56";
$dbuser = "lox1";
$dbpass = "a$42ksL2Mj;#2Hi";
$dbname = "loxley";
$dbtype = "mysql";
// Dont edit past here (ADOdb)
$db = NewADOConnection($dbtype);
$db->debug = false;
$db->Connect($dbhost, $dbuser, $dbpass, $dbname);But that is pretty much the same, anyone with access to that user can print $_ENV ... or am I missing something? (With other words, it can be just as easily done without root, just that now you have to make a script in 1 sec)timvw wrote:So, not even you or the www daemon need access to the file. All you have to take care of is avoiding print_r'ing $_ENV
timvw wrote:The point of the solution offered in the article is the following: If you want to know the db credentials you have to be root... And trust me, someone who can gain root... Doesn't even need your db credentials :p
So, not even you or the www daemon need access to the file. All you have to take care of is avoiding print_r'ing $_ENV
That makes several assumptions, to wit:timvw wrote: With config.php the www-daemon needs access to the file. With the file, when apache is started (at this moment apache is run by root, and thus has access to _all_ files) and afterwards www-daemon doesn't need (and shouldn't have) access to the file...