[SAC] Re: Subject: [Technical Problem] can't register on trac
Martin Spott
Martin.Spott at mgras.net
Tue Apr 10 12:19:33 EDT 2012
Hi Frank,
On Tue, Apr 10, 2012 at 08:57:54AM -0700, Frank Warmerdam wrote:
> BTW, you aren't suggesting that someone can just do an http fetch
> to fetch the .py scripts, are you?
No, not as a regular, planned operation :-)
As far as I can tell, the most common way to retrieve purportedly
hidden information is to trick the web server into a specific error
which exposes the content of the failing script (as debug output).
Both storing the credentials either in a separate file or in the
environment could help against this sort of attacks.
Aside from that, PHP is quite popular for exposing security holes
allowing to feed arbitrary (PHP) commands to be executed in the context
of the web server. Thus you're always better off storing sensitive
information outside the web server's document root and thus outside the
reach of the built-in PHP interpreter.
Anyhow, this still doesn't solve the issue resulting from the files
being world-readable and thus accessible for everybody having a
functional shell account on this VM. That's another item asking for
proper directory- and file-owners and -permissions.
Cheers,
Martin.
--
Unix _IS_ user friendly - it's just selective about who its friends are !
--------------------------------------------------------------------------
More information about the Sac
mailing list