Blog Documentation Book a Demo
Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Is it showing my database password?

dozensdozens New
edited July 2005 in Vanilla 1.0 Help
Sorry if this is silly, but I don't know too much about this stuff.

So I was trying to edit the message shown on the very first sign-in screen for new users and while looking at different files I checked out the settings.php file in the appg folder and saw that it reveals my database password... Can this be exploited? It kinda scares me...

Comments

  • patrixpatrix
    All php forums are like that.. Thje only risk I see is that the file has rw-rw-rw- permissions so anybody who has shell access can view and edit it!!! That's a major issue imo... mark should probably find a way to fix that ;) patrix.
  • patrixpatrix
    edited July 2005
    I changed the permissions to 660, and made setting.php in the group www (same group in the apache config files), and it seems to work out fine, and no other user can read the file. (of course that works only for a system where you have root access...)
  • lechlech
    Patrix is pretty much dead on. The read write is primarily just so vanilla can write it's settings out to that file in the first place and any changes you make to global application settings. Anyone attempting to execute the php file from your server will most likely get nothing but a blank if your server is set up right. I can't say for certain, but if your setup is anything like mine, other users on the server can see any files with certain permissions. But in most cases, they won't be able to touch those files from that end of the shell.
  • patrixpatrix
    well with 666 permissions any user can read/write to that file if they have shell access, can't they? If not, something's horribly wrong with my 9 years of UNIX experience lol
  • dozensdozens New
    Not to seem like a complete idiot, but I really don't know what to do to fix this. I mean, I know how to change the permissions on a file, but can you guys tell me exactly what to do so that this will be safe / okay? Thanks!
  • patrixpatrix
    What I did was find out the group apache is running under (go in the httpd.conf and find User and Group lines), then changed the group ownership of all vanilla files to that (in my case, I went in the vanilla directory and typed: chgrp -R www * ), then changed the permissions of keey files so they wouldn't be writable by others, or even readable in the case of setttings.php.
  • dozensdozens New
    Let me re-phrase that: I know how to change permissions by opening Transmit, navigating to the file, doing a Get Info on it, checking the boxes or typing in a number, and hitting 'Apply'...

    So, uh, come again :)
    Thanks!
  • lechlech
    patrix, I guess that all depends on what flavor of linux you might be running. The bsd shell I'm under, my admins place each user under their own grouping ID just to prevent little things like this. While we can still see each others files (file names only) we can't exactly snag, read or write to those files across the server. It's really all about little things like that. While I'm sure there's probably a clever hack around it, it's not too bad of a policy.
  • patrixpatrix
    But if, as per vanilla instructions, you chmod 666 the settings.php file, then EVERY user on the system can read and edit it.
  • dozensdozens New
    so....
  • patrixpatrix
    well like I said, if you don't have a root shell on the server you can't do what I did...
  • patrixpatrix
    Oh but of course if you only have ftp access and can't go to other users' directories, then there's not that much risk.
  • MarkMark Vanilla Staff
    The next release separates those params. Actually, the entire settings file will be changed, and the permissions are going to be done differently as well. This is already in the pipe.
  • patrixpatrix
    always one step ahead hm? ;)
  • dozensdozens New
    But it's safe the way it is now, for now?
  • MarkMark Vanilla Staff
    Yeah - you'd need a crazy hacker of some kind to get at it. If you have one of those on your hands, you've got more to worry about than your vanilla db password.
  • patrixpatrix
    mark, no crazy hacker needed (note this probably doesn't apply to dozens's situation): ssh some_user@my_server cd /some/path/to/vanilla/appg vi settings.php *ooooh, plain text password, hey I can even change things in this file, let's having fun changing settings to funny things!!!!* :wq mysql -uuser -ppassword vanilla *oooh now I can play around in the database too!* I just executed that scenario on my server, and some_user isn't the one I used to install vanilla... To be fair, if you've given shell access to your server to someone who will do something like that then yes, you got more to worry about than your vanilla db password. patrix.
  • dozensdozens New
    So, what should the permissions be on this file that has my password? I mean, one response says it's fine and the next says it's not. The password isn't just for my vanilla database either, i have movabletype on that database as well...

    well, patrix says it "probably" won't apply to me... How so?
  • patrixpatrix
    dozens: do you have shell access on that server? Can you see other users' home directories through ftp? If both answers are no, then you are safe :)
  • dozensdozens New
    No, and no. :)

    Thank you!
This discussion has been closed.