Secure conf_global in shared hosting

[Axel Wers]

I read some info about security of conf_global.php, in bug report: conf_global.php file able to be included from anywhere.

I have question: How can I get access to conf_global.php file via php skript? I remember that I used to know but I have forgotten it... At IPSBeyond was one topic about this. I had conf_global.php file in /home/forums/ directory and I uploaded php file with some skript to /home/test/. I ran it and I saw conf_global.php content.


Then I tried Brandon's security fix:

if(strpos($_SERVER['SCRIPT_FILENAME'],"/my_path/main_forum/") === false)

{

	echo "Configuration being called from the wrong area.";

	exit;

}

I put it to my conf_global.php file following by instructions but when I click at my (test) board I got only blank page with text:
Configuration being called from the wrong area.

What is wrong? :ermm:

[bfarber]

You have to verify that the path is correct. If necessary, change the code to

{ echo $_SERVER['SCRIPT_FILENAME'] . '<br>'; echo "Configuration being called from the wrong area."; exit; }

if(strpos($_SERVER['SCRIPT_FILENAME'],"/my_path/main_forum/") === false)

To verify what is set as SCRIPT_FILENAME.

To include the conf_global from another area on the server all you would need to do is use something like include('/full/path/to/conf_global.php'); The thing is, most servers where this would be an issue (shared servers) are secured from this already (via safe_mode or open_basedir, or by having PHP run as the proper user account which wouldn't have permission to the file under someone else's account for example).

[Jaggi]

just thinking shouldn't this be something that conf_global does automatically. You can't include or access any of the other files if you try to include them without IN_IPB being defined. The conf_global is a important file and i think this sort of protection should be made default.

[bfarber]

How do you automate something like that, though, when you have to factor in the dozens of different operating systems and the fact that PHP can be loaded in multiple ways (ISAPI module, fastcgi, etc.) - I've seen paths that don't get set to the full path properly, so it's all but impossible to do this in an automated fashion.

Realistically, the security issue here lies with the host - they shouldn't be allowing one user to access another user's files on their hosting.

[Zero Tolerance]

Even if the config file could automate this, it is by no means a security fix:

<?php

$_SERVER['SCRIPT_FILENAME_REAL'] = $_SERVER['SCRIPT_FILENAME'];

$_SERVER['SCRIPT_FILENAME'] = '/fake/path/to/conf_global.php';


require_once('/fake/path/to/conf_global.php');


$_SERVER['SCRIPT_FILENAME'] = $_SERVER['SCRIPT_FILENAME_REAL'];

?>

Only way is to make sure the host is secured :)

- Zero Tolerance

[bfarber]

Great addition Zero Tolerance. Of course the hacker would need to know this change, but as you pointed out, this isn't a substitute for a properly secured hosting account.

[Axel Wers]

Realistically, the security issue here lies with the host - they shouldn't be allowing one user to access another user's files on their hosting.

Is it still possible when Safe mode is ON?

[bfarber]

No, if safe mode is on you can't access files on another user's hosting account (though safe mode itself creates a ton of other problems, but that's not the question you asked).

[Axel Wers]

OK, now I have other question.

I can protect admin directory (by renaming that directory).

Is there similar way how can I protect conf_global.php file?

/forums/conf_global.php is very know

I'd like to have something like /forums/secret_directory/conf_global.php

[Jason L]

OK, now I have other question.

I can protect admin directory (by renaming that directory).

Is there similar way how can I protect conf_global.php file?

/forums/conf_global.php is very know

I'd like to have something like /forums/secret_directory/conf_global.php

No, you cannot do this. The reference to this file is hard coded in too many files as ROOT_PATH . "conf_global.php".

[RobertMidd]

No, you cannot do this. The reference to this file is hard coded in too many files as ROOT_PATH . "conf_global.php".

Perhaps you can do it with a symlink though ? (not windows) so that the file is in another protected directory and just linked and therefore all scripts should work and the file is not accessible outside of the scripts without knowing the password.

Not sure but it should work.

[bfarber]

Yes, but if you just used a symlink, then it wouldn't accomplish the goal of moving the file so the hacker doesn't know where it is. ;)

[RobertMidd]

ok, I see your point now.

[Axel Wers]

No, you cannot do this. The reference to this file is hard coded in too many files as ROOT_PATH . "conf_global.php".

OK :) then this could be suggestion for next major release. I think that phpBB has something similar.

[Jason L]

OK :) then this could be suggestion for next major release. I think that phpBB has something similar.

Not sure why you need this. No matter how you work it, there will be a way to get this information. Just make sure the proper permissions are set on your files/directories and you can try change your sql password every so often, if you are a paranoid person.

[bfarber]

Even if the config file [b]could[/b] automate this, it is by no means a security fix:

$_SERVER['SCRIPT_FILENAME_REAL'] = $_SERVER['SCRIPT_FILENAME']; $_SERVER['SCRIPT_FILENAME'] = '/fake/path/to/conf_global.php'; require_once('/fake/path/to/conf_global.php'); $_SERVER['SCRIPT_FILENAME'] = $_SERVER['SCRIPT_FILENAME_REAL']; ?>

<?php

Only way is to make sure the host is secured :)

- Zero Tolerance

Everyone should re-read this.

No matter what you guys try to do with moving files and so on, if the hosting is not secured, your efforts are fruitless. And if the hosting is secure, these efforts are unnecessary. So, effectively, you guys should not be worrying about moving the file, or adding code to protect it - you should be worrying about whether safe_mode is on, or open_basedir is enabled, or what permissions your files have and what owner php/apache is running as for your hosting account, and so on. Including files on a shared account is really a security measure the host should be worrying about.

[Jason L]

I edited your post. People don't seem to understand without big red signs...

[bfarber]

lol