Page 1 of 2
database user/pass protection
Posted: Fri Jun 03, 2005 1:50 pm
by Pyrite
So a thought just occured to me, if someone hacked into my webserver, and looked at my config.php file and got the user/pass for my MySQL server, they could basically have my database no matter where it resided (locally or on another server). Is there any way for me to protect the config where the user/pass is stored from physical intrusion?
Posted: Fri Jun 03, 2005 2:26 pm
by Burrito
no, user accounts on mysql are associated with the host:
ex: burrito@localhost or burrito@66.217.54.69
they could however get to it while they were on your machine and create such an account
best practice: keep people from hacking into your web server

Posted: Fri Jun 03, 2005 2:36 pm
by Ambush Commander
If your config file is safe, databases can limit access to localhost.
Posted: Fri Jun 03, 2005 4:16 pm
by timvw
Posted: Fri Jun 03, 2005 9:40 pm
by Roja
Burrito wrote:no, user accounts on mysql are associated with the host
Not always. It depends on the setting and configuration of mysql. You *can* set an account to all hosts. (burrito@all)
Also, on some hosts, you cant connect remotely, while on others, you can.
Posted: Fri Jun 03, 2005 10:02 pm
by Burrito
Roja wrote:Not always. It depends on the setting and configuration of mysql. You *can* set an account to all hosts. (burrito@all)
is that NOT associated with a host? In that case "all"? My point was the likelyhood of someone who has their username and password running queries against the database remotely is not very high as a username has to be tied to a host. Sure if they were on the machine locally they could create an account "Roja@all" but then they could also create an account "Roja@66.217.49.67" etc.
I don't think anyone (at least anyone with any sense) would puposely create an account "Roja@all"...if they would, they have bigger fish to fry than the topic of this thread.
I did read the article Tim suggested and it looks like a viable option (create env vars for the un and pass and call them from the $_SERVER[] array...wonder if there's an IIS alternative?
Posted: Fri Jun 03, 2005 11:12 pm
by Roja
Burrito wrote:
is that NOT associated with a host?
Nope. its associated with *all* hosts. Definite difference.
Burrito wrote:
In that case "all"? My point was the likelyhood of someone who has their username and password running queries against the database remotely is not very high as a username has to be tied to a host.
And my point was that it is high - because a username doesnt have to be tied to a host - it can be open to any host.
Burrito wrote:
I don't think anyone (at least anyone with any sense) would puposely create an account "Roja@all"...if they would, they have bigger fish to fry than the topic of this thread.
Last I checked, creating a new db user in BOTH webmin AND cpanel does exactly that. Considering that that covers at least 70% of the hosts out there - I'd call that common, and very relevant.
Not just arguing for the sake of argument.. its a very common configuration, and it makes for a serious security issue.
It was a serious problem on Sourceforge three years ago, for example: Anyone with shell hosting was able to see our db config, so we ended up having to request special security for our project (Blacknova Traders). (Things on SF have changed since then).
Its NOT uncommon.
Posted: Fri Jun 03, 2005 11:53 pm
by Burrito
learn something new everyday...
Posted: Sat Jun 04, 2005 9:39 am
by Pyrite
Ambush Commander wrote:If your config file is safe, databases can limit access to localhost.
May be I didn't explain well, I am wanting to know how to keep the config file safe (nothing to do with MySQL). Is it possible that I could have the password hashed somehow?
Posted: Sat Jun 04, 2005 10:51 am
by m3mn0n
/offtopic
Yeah, I remember back when I had a project up on SF.net. Sooo unsecure. You could stroll into anyones folder and view their config and mess with the script.
/back_on_topic
If they had access to the config file, that means they most likely could see any other file and scan for security holes. Once one is found, they could do something like execute scripts remotely, or forcefully upload scripts and that could give them control of the db.
So because of that reason, among others, it's very important to code securely even if the project/site isn't open source.
Posted: Sat Jun 04, 2005 11:03 am
by Pyrite
I am worried though that if my web server is hacked, and my config.php can be viewed, then my sensitive database would be compromised. How can I protect my config.php ?

Posted: Sat Jun 04, 2005 11:09 am
by John Cartwright
You can store your config file outside the web root, making it invisible to "crackers"
Posted: Sat Jun 04, 2005 11:56 am
by timvw
meaby consider reading the article i mentionned again..

Posted: Sat Jun 04, 2005 12:12 pm
by Pyrite
I did read it, and it seems it is focused on remote exploits. I am concerned about a cracker having access to my server, through whatever means and viewing my config.php to find the db credentials and viewing my database. Has nothing to do with remote exploits.
The fact of the matter is, my db credentials are sitting there on my server in a plain text file. That is not good! Even Windows doesn't do that.

Posted: Sat Jun 04, 2005 3:38 pm
by Ambush Commander
::Puts on Tin Foil Hat::