phpCOIN

Forum Rules General Chat

To discuss anything NOT phpCOIN related (but do not spam advertisements into this forum)

  Reply to this topicStart new topicStart Poll

> How safe are database details on php files?
djpete
Posted: April 19, 2009 10:14 am
Quote Post


Advanced Member
***

Group: Members
Posts: 488
Member No.: 3,298
Joined: January 29, 2008



We have had an issue here in Oz where a Registrar has just been scratched off by our governing body the http://www.auda.org.au/

Client info was leaked to a 100's of people (emailed) and the registrar has been in trouble for not taking enough security steps afterwards.

Question also came up on another forum that username passwords for databases etc are readable in php files if the server goes down.

Is this true.
How safe are details on php files?

Curious.

This post has been edited by djpete on April 19, 2009 10:15 am


--------------------
PMEmail Poster
Top
lightman
Posted: April 19, 2009 11:20 am
Quote Post


The Janitor
***

Group: Admin
Posts: 3,639
Member No.: 3
Joined: August 25, 2006



QUOTE
that username passwords for databases etc are readable in php files if the server goes down.
A server that is 'down' is about the safest server there is - since it isn't working - no-one could connect to it and get any data off it !! About the only 'safer' server is one enclosed in concrete and sunk at the bottom of a lake biggrin.gif

Some of the more obvious ways an attacker can recover data from MySQL or php files include the following
  • They have guessed or brute forced the FTP access
  • They have guessed or brute forced a root access (if they have done this - go to the pub - they have everything !! )
  • They have guessed or brute forced a control panel access
  • They have installed a rootkit
  • They have installed some sort of logging software
  • They are using DNS poisoning to re-route traffic through another server (not a direct PHP issue but they could get a client or admin username/password)
  • They are intercepting the traffic using a packet sniffer (Same as above)
  • They have gained access to the MySQL server via remote phpMyAdmin or similar (they may have access to data but it has little commercial value)
  • They have exploited a vulnerability in the PHP or MySQL and used XSS or MySQL injection
Most of the above are apparent from careful daily analysis of your logs - (difficult if you're a reseller - you may not get any, and the server operator may not be bothering !)

Since phpCOIN stores NO credit cared information (unless you were silly enough to enter it in a clients 'notes' field) - the data has no more real value that that which could be found in any public telephone directory.

The only way data could be read out of a php file is if the php process stopped working (and this usually means the webserver isn't working either, so they couldn't see anything anyway) or because of an criminally inadequate or misconfigured server configuration.

All data breaches are serious and usually demand (by law) that anyone's data that may have been compromised be contacted immediately and full disclosure made to the affected parties and to any requisite oversight or law authority. The follow-up action is more difficult - it may not be immediately obvious how the data was breached and what attack vector was used - slapping it all up and running again with a different password is no answer if the attacker has an alternative entry point.

Whilst we have done everything possible to secure phpCOIN from all known exploit vectors, it doesn't guarantee that the underlying Operating System / webserver / PHP / MySQL process are invulnerable or that some gaping great configuration hole wasn't left when the server was set up or configured, nor that some new exploit vector wont be found in the future. This is, of course, applicable to every bit of software you have on your server !!

Bottom line - ensure all your server and operating systems are fully patched up-to-date, revise the best working recommendations as to your firewalls, user and process access rights, file permissions and to every application and daemon security configuration setting, ensure ALL your (and your customers) usernames and passwords are 'strong' and keep a very careful look-out for anything out of the ordinary biggrin.gif

If you are a reseller, or on any sort of shared server - prey that the server owner/administrator has the necessary ethics, knowledge and skills to address these crucial tasks, AND that they are performing due diligence to ensure other users on the same server are not deploying code with known exploit vectors that could impact anyone else on the same server - if you're not comfortable with the server operators level of oversight, maintenance and/or security patching - find a new provider - I can guarantee you will sleep better smile.gif

Isn't web hosting fun ? ph34r.gif


--------------------
***** Unless otherwise stated, all replies refer to the following *****
====================================================================
--- The latest unmodified version of phpCOIN available from the phpCOIN download page on the date and time of this post.
--- All relevant HotFix files applied - One of the four included unmodified themes - The original language files .
--- Help will be given to install/configure/use phpCOIN, but not programming help to modify phpCOIN operations. If you are competent enough to make programming changes, you should be competent enough to read the source code and figure things out :)
PM
Top
djpete
Posted: April 19, 2009 11:32 am
Quote Post


Advanced Member
***

Group: Members
Posts: 488
Member No.: 3,298
Joined: January 29, 2008



Nice complete summary Lightman.
I was Googling on it and a bit of that was mentioned but nowhere near as complete!
Appreciated.
All very handy to know.


--------------------
PMEmail Poster
Top
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

Topic Options Reply to this topicStart new topicStart Poll

 


Inscrita el Registro Mercantil de Mallorca Tomo 2140, Hoja No. PM-51034, Folio 135
This website owned and operated by: Technology Services RPVW S.L. CIF# B57345084
Avda Constitucion 48 Bajos Alaro 07340 Baleares SPAIN
Tel:+34 971518362    Fax: +34 971518368    eMail: support@phpcoin.com