[SAC] Re: Subject: [Technical Problem] can't register on trac
Frank Warmerdam
warmerdam at pobox.com
Tue Apr 10 13:46:58 EDT 2012
On Tue, Apr 10, 2012 at 9:35 AM, Frank Warmerdam <warmerdam at pobox.com> wrote:
> On Tue, Apr 10, 2012 at 9:19 AM, Martin Spott <Martin.Spott at mgras.net> wrote:
>> As far as I can tell, the most common way to retrieve purportedly
>> hidden information is to trick the web server into a specific error
>> which exposes the content of the failing script (as debug output).
>> Both storing the credentials either in a separate file or in the
>> environment could help against this sort of attacks.
>> Aside from that, PHP is quite popular for exposing security holes
>> allowing to feed arbitrary (PHP) commands to be executed in the context
>> of the web server. Thus you're always better off storing sensitive
>> information outside the web server's document root and thus outside the
>> reach of the built-in PHP interpreter.
>
> Martin,
>
> OK - while this doesn't sound compelling, I can see moving the value
> into a file outside the document root would mitigate some risk. I'll do
> it today.
Folks,
OK, the change is made. The LDAP python scripts read a credentials
file outside the the doc root (and outside cgi-bin which wasn't under the
docroot). Note that the master ldap password is also in the svn history
for the osgeo scripts which lives in some sort of non-public svn service.
I would suggest at some point we update the master ldap password.
In addition to the credentials file on www2 I think we would also need
to update Drupal which I think has this password. I do not know how
to do that off hand.
Best regards,
--
---------------------------------------+--------------------------------------
I set the clouds in motion - turn up | Frank Warmerdam, warmerdam at pobox.com
light and sound - activate the windows | http://pobox.com/~warmerdam
and watch the world go round - Rush | Geospatial Software Developer
More information about the Sac
mailing list