logins stored in a .txt file above the document root

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

logins stored in a .txt file above the document root

Post by s.dot »

The administrator log in page is on doc_root/admin.php

The administrator username and passwords are stored in a .txt file above the document root in doc_root/../sensitive_data/administrators.txt

The log ins are stored in this format:

Code: Select all

username:saltedmd5
If I use a challenge/response to encrypt the log in data and prevent it from being sniffed, is this pretty secure?
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

In theory, it sounds fine.

I would be more worried about your storage scheme for users and passwords.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

feyd wrote:In theory, it sounds fine.

I would be more worried about your storage scheme for users and passwords.
How come?

The site in question does not have a database of users. Instead it just relies on a few administrators to perform tasks every so often, or check content.

There are 3 administrators, so I figure a user:pass txt file would be easiest to implement.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Easy to implement sure, but unless you are reliably sure that no one can get to that file (outside the document root isn't good enough alone) then you are okay overall. However I would suggest hashing the entire piece of information regarding their user and password combination.
User avatar
WaldoMonster
Forum Contributor
Posts: 225
Joined: Mon Apr 19, 2004 6:19 pm
Contact:

Post by WaldoMonster »

Or maybe it is an idea to place the file inside the document root with a php extension like: administrators.txt.php
Nobody from a web browser can see what is inside the script.

Code: Select all

<?php /*
username:saltedmd5
*/ ?>
Or maybe even use an array:

Code: Select all

<?php
$pass = array();
$pass['username'] = 'saltedmd5';
?>
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Attacks from the web-wise, you should be in the clear. If it's a multi-user system, though, it may be exposed to the outside (permissions tomfoolery and such). But the risk is very slight, and there's not much they can do with salted md5s.

P.S. Where's the salt coming from?
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

The salt is just a string I supplied in the coding.

Code: Select all

$password = md5($_POST['password'].'random-salt-string');
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Post by Mordred »

With a fixed salt, there is the danger of detecting when several users have the same password. Then, there's good money that it is in a short dictionary (100-500 most common passwords) which can easily be tried with an online attack.
Post Reply