-3

I need to avoid hackers from using echo $db_username in php to view encoded config files by creating new.php and add in it:

include"/home/user/public_html/config.php"; 

echo $db_host;

echo $db_username;

echo $db_password;

echo $db_name;

I installed mod_security for apache, Can you give me the rule to avoid this ?

user3622763
  • 13
  • 3
  • Why are you apparently allowing "hackers" to write files to your document root? If users are able to write and execute php files - your problems are much bigger than "they can see my db config"; They can do almost anything. – AD7six May 10 '14 at 07:41
  • How could they create that `new.php` ? If they have access to the server, they won't bother writing php to echo them, they just open the file directly. – Damien Pirsy May 10 '14 at 07:41
  • I don't allow them to create files in the root, But the hackers may upload shell files, and able to upload php files in the root. – user3622763 May 10 '14 at 07:43
  • How would they upload shell files? – fjc May 10 '14 at 07:43
  • 1
    That would be your fault then. You should not allow people uploading something like that. A good application should make the appropriate check before allowing a file to be uploaded – Damien Pirsy May 10 '14 at 07:43
  • I don't know, But maybe they found a exploited file! but i don't need them to view the confing files anymore, please help. – user3622763 May 10 '14 at 07:45
  • 1
    Help? Correct the flaw then! There's not point in hiding things if poeple could still upload _anything_ to your server! – Damien Pirsy May 10 '14 at 07:46
  • I know, But I don't need anyone to know the mysql information and connect to it, So, I need to disallow them from using echo $db_username; or echo $db_password; So it will be okay if they don't connect to database. – user3622763 May 10 '14 at 07:49
  • @user3622763 See my answer. – biolarnative May 10 '14 at 07:49
  • 1
    @user3622763 if they can upload a file such that they can see the db credentials - they can also just use them (from your server - because the credentials _are_ restricted to only work from that server, right?). There's no "answer" to what you're asking because what you're asking is kind of pointless. Take the site offline **find and fix the exploit**, change passwords and put it back online. You're currently wasting your time (and everyone elses). – AD7six May 10 '14 at 07:53
  • @AD7six if any one access html-root they can access confing.php file I know that, But my confing.php file is encrypted, So he will not able to connect to database, But if he create file.php and but in it echo $db_username, he will get the mysql connection information. – user3622763 May 10 '14 at 07:56
  • @AD7six Yes, I understand what you talk about, But you don't understand me, If anyone access the html-root hel will find the confing.php encrypted, he is not able to read any thing, But if he used the codes below, he will find the information of mysql and can able to connect to db by uploading any connection to db file. – user3622763 May 10 '14 at 08:01
  • @user3622763 See my updated answer, that what you asking? – biolarnative May 10 '14 at 08:02
  • Okay, Now the hacker can't able to create a new php file in the document-root, But it will not okay if the user need to upload a new files, Anyway is their a solution for disable writing echo $db_username; in php files ? And Thanks you very much for your help. – user3622763 May 10 '14 at 08:07
  • @biolarnative, I'm sorry, I think you are AD7six :), Yes I seen your answer, but the hacker used local path not remote path, he used include /home/user/public_html/confing.php not remote from another server. – user3622763 May 10 '14 at 08:10
  • @user3622763 I edited my answer. – biolarnative May 10 '14 at 08:19
  • @biolarnative I replied to your answer .. :) – user3622763 May 10 '14 at 08:28

2 Answers2

0

No one can include your file from a remote address for a security reason. You just need to check in your php.ini file that allow_url_include is set to OFF (Already set to off by default, but just in case).

If someone will try to include your file from a remote address, when allow_url_include is set to OFF, he will get this errors:

Warning: include(): http:// wrapper is disabled in the server configuration by allow_url_include=0 in /Path/To/file.PHP on line x

Warning: include(http://www.yourserver.com/dir/config.php): failed to open stream: no suitable wrapper could be found in /Path/To/file.PHP on line x

Warning: include(): Failed opening 'http://www.yourserver.com/dir/config.php' for inclusion (include_path='.;INCLUDE_PATH') in /Path/To/file.PHP on line x

EDIT: Look, you can't protect your site in 100%, even Facebook is not "so secure" like you think, for example: eBay was hacked in 21.5.14 . What you can do is try to protect everything that will make the hackers work really hard to try get a control on your system. Here you can see a lot of attacks (not all of them is web-based attacks), read about them, all of them have a solution. Owasp attacks page. If your site is properly secured, the hackers will not get a control on your system, they will not get an access to your document_root and will not read your config file.

biolarnative
  • 188
  • 12
  • Okay, Your are right, But the hackers use include /home/user/public_html/config.php, So, they will able to see the encoded contents by using echo $db_username; or echo $db_password; – user3622763 May 10 '14 at 07:52
  • @user3622763 I updated my answer. – biolarnative May 10 '14 at 07:55
  • Yes you are right, But that will make more secure, because, if the hackers success in accessing the document-root, he will not able to know the mysql information to access it, because he will see the confing.php files is encrypted, So all what he doing is changing the index.html file :) .. So, I want to disable writing echo $db_username in the php files, because no script will use this function! So can I able to disable it by using mod_security ? And Thanks for your time and help. – user3622763 May 10 '14 at 08:27
  • 1
    I can't understand this obsession about the DB config. If hackers have access to your server you're already screwed – Damien Pirsy May 10 '14 at 08:29
  • @user3622763 Here is what you can do with [mod_security](https://www.modsecurity.org/documentation/), Also, Damien is right. read his comment. – biolarnative May 10 '14 at 08:31
  • @DamienPirsy, Yes .. But he will access the files and not connect to mysql database and see the tables!!! That what I talk about, if the hacker success in access document-root, he will know the information in confing.php but if it encrypted ?! He will not see any thing, But If he used the codes which I write it, He will able to find the mysql database information and access the database ! – user3622763 May 10 '14 at 08:37
  • @user3622763 When you said "encrypted", what do you mean? and its not really matter, because your site is already connected to the database, the attacker can run a "into outfile" query to dump all your database. – biolarnative May 10 '14 at 08:39
  • @biolarnative, config.php is encoded as "$XnNhAWEnhoiqwciqpoHH=file(__FILE__);eval(base64_decode("aW" So the hackers can't able to know what is the information in the file. – user3622763 May 10 '14 at 08:42
  • @biolarnative, OMG! That's mean he can dump all databases by using a php file! without using database information!, If so, I must find the exploited files and solve it. – user3622763 May 10 '14 at 08:47
  • @user3622763 True, but the file need to be connected to the database. – biolarnative May 10 '14 at 08:48
  • @biolarnative, If you talk about he can able to write a php and put a commend to dump all databases that associated with this account, So That mean the issue will be solved after exploited files is closed. But if you mean by "file_that_already_connectedToDB.php" is config.php, How can he put a query in an encoded file ? – user3622763 May 10 '14 at 08:53
  • quote "True, but the file need to be connected to the database." I think he need to know the mysql information from confing.php file to put this information in the dump file! So, if the confing.php is encoded how he will get that information! I'm sorry .. – user3622763 May 10 '14 at 08:59
  • @user3622763 Read [this](http://stackoverflow.com/a/82119/3546872) to know how to dump sql file by using php and mysql query, I dont think db connection is needed, Just one way is required connection details, and is the "mysqldump". Please mark this answer as the correct (: – biolarnative May 10 '14 at 09:01
  • @biolarnative Thanks for your help :) And I'm very sorry for wasting your time .. And I'm sorry again because I can't able to mark it as useful answer because I don't have enough reputation at the moment, but I promise I will do it in the future :) .. Thank you for useful information, Best Regards. – user3622763 May 10 '14 at 09:07
  • 2
    IT DOESN'T MATTER IF THE FILE IS ENCRYPTED. IF YOUR SERVER IS COMPROMISED, THE HACKER CAN REVERSE ENGINEER THE ENCRYPTION BY LOOKING AT THE FILE! Sorry for the caps, but it seems you're stuck in your "but the db config!!" loop and I can't make you focus your attention on the real problem – Damien Pirsy May 10 '14 at 09:27
-2

Easily put: You should put config file outside of the html-root for best security. You shouldn't be worried about someone creating a new php-file. You should worry about someone accessing your server instead.

bestprogrammerintheworld
  • 5,018
  • 6
  • 36
  • 67