PHP Files - Storing Passwords in them.. Secure?

[leon1p]

When using software like Joomla, phpBB etc any database information is stored in a config.php file which is then chmod'd to prevent anuathorised access.

Now I have just installed software which does the same but does not chmod the php file with the assumption that if the server is setup correctly it will never pass the information contained to the browser..

Is this really correct? I've seen sometimes when a bug happens when opening a page it will actually display the php code in error and if it happened to be my password file it would be their for everyone to see.

What is a good level of CHMOD for such a file?
Currently it is 604

 

[andrewc]

A lot of php systems encrypt passwords. I run a car forum and I can't view any members passwords. I can reset them for a negligent owner but I can't see what they are.

 

[leon1p]

The user passwords would be inside your database in Md5 format but the password that your forum uses to access your DB will be stored in a config.php file or similiar.

It will contain your database hostname, username and password as well as the required database name.

If the config file was then accessed illegitimately that would allow someone to gain access to all your database info and delete it etc.

 

[mattyh]

CHMOD the permissions to 644, 444 or 400, depending on which your host prefers.. 400 is best IMO as it contains the least amount of permissions, but obviously it will depend on what you need to run the db etc (which is defined by the host I think)

All my config files are 400 and everything works fine

 

[andrewc]

I get what you're saying. Mine is 604.

 

[leon1p]

Thanks Matty.. I've set mine to 400 and it seems to work fine.. It may not make a difference in real terms but I feel better

andrew.. Are you an active user on the car forum or just background admin, car forums are the worst for keyboard warriors. I've been involved with a few new.. totally fed up of them to be honest.

 

[Slapo]

You could also make a .htaccess rule for this, forbidding access to that file from the web.
If the system you use routes everything via index.php, then you can use something like this:

<Files "*.inc">
  Order Deny,Allow
  Deny from all
</Files>
<Files "^*.php$">
  Order Deny,Allow
  Deny from all
</Files>
<Files "*.ht*">
  Order Deny,Allow
  Deny from all
</Files>
<Files "^index.php$">
  Order Allow,Deny
  Allow from all
</Files>

in your .htaccess file.

 

[leon1p]

Never though about htaccess for the specific file.. i'll have a play with that as well.

 

[KIPAX]

Errors will show info from the php file.. it wont show the include files.. password is stored in an include... in order for it to show an include file the php file would have to load it in... if it loaded it in then its working good enough not to show the error... if you follow

 

[leon1p]

Yes that makes sense.. so at most I would see the contents of say index.php and the statement to include config.php.. but because it isn't parsing the php it won't be including it

 

[KIPAX]

Yes that makes sense.. so at most I would see the contents of say index.php and the statement to include config.php.. but because it isn't parsing the php it won't be including it

Exactly.. as we say in Accrington But still you wouldnt see all index.php on an error. just the lines of the error... but for me it does give too much info such as full paths back to server... but heck there not hard to find anyways

 

[andrewc]

I'm admin and an active user. Its only a small club and most are nice normal people. Not even spambots bother registering!

 

[Diabolos137]

Best practice is to make sure all passwords in web accessible places are encrypted eg, MD5 (most forums etc will do this by default), even though there are ways to work out MD5 passwords most hackers/script kiddies wont bother unless they really have something to gain and a lot of spare time.
As for files with things like database connection details within them always try to put them in a folder outside of your web directory as people will not be able to view them but scripts can still call them (Though not all hosts allow you access out of your web/public_html dir)

 

[KIPAX]

hes using third party software that says where files can be stored.. personaly i would *hack that to store it elsewhere

* hack.. to chop change.. hacking is good... cracking is bad ..

 

[leon1p]

Yeh it could be worth a hack to move the config file away from default.

All good ideas guys thanks for the suggestions.