$db_passwd and $ssi_db_passwd stored in a .htpasswd-like file

MultiformeIngegno

  • Posts: 1,337
$db_passwd and $ssi_db_passwd stored in a .htpasswd-like file
« on October 2nd, 2012, 11:10 PM »
What about storing those variables in a MD5 encrypted file? Or - if this is too complex to setup for a "normal" user - we could give the possibility to manually set that method for "experienced" users..

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: $db_passwd and $ssi_db_passwd stored in a .htpasswd-like file
« Reply #1, on October 2nd, 2012, 11:16 PM »
Quote
What about storing those variables in a MD5 encrypted file?
Not possible at all.

Problem 1: you can't retrieve them from an md5 encrypted file. But you have to store them in a fashion that PHP can send to MySQL, which means either not encrypting them (like we do now), encrypting them in a fashion you can retrieve later (which brings me on to problem 2), or storing it in the same fashion that MySQL uses and connecting with that directly (which brings me to problem 3)

Problem 2: If you encrypt them somehow, you still have to be able to decrypt them to be able to use them.

Problem 3: If you store them the way MySQL does, it's realistically no different to storing the password as-is, either way someone who gets access to that password can still get into your database and mess it up.

What were you hoping to protect with this setup?
When we unite against a common enemy that attacks our ethos, it nurtures group solidarity. Trolls are sensational, yes, but we keep everyone honest. | Game Memorial

MultiformeIngegno

  • Posts: 1,337
Re: $db_passwd and $ssi_db_passwd stored in a .htpasswd-like file
« Reply #2, on October 2nd, 2012, 11:52 PM »
Oh, I see. Well I was a bit worried that the password is displayed in plain text.. what if apache/nginx is misconfigured and instead of serving the file (Settings.php), it's downloaded..?
What about storing the password in another file (randomly named/placed)..? Also, letting admins move that file around the server (for example in /var/www/something/.. or /home/user/...).. it's more likely to be protected there (it's more difficult to mess with permissions)!

Sara

  • Walking Contradiction
  • Posts: 41
Re: $db_passwd and $ssi_db_passwd stored in a .htpasswd-like file
« Reply #3, on October 2nd, 2012, 11:53 PM »
This sounds interesting.  I could perhaps use the .htaccess file to host and protect an anonymous image board for members only, or a non-register oekaki board.

It would be useful for adding on more php features to a community without having to make a bridge. 

But if it can't be done then *shrug*.

MultiformeIngegno

  • Posts: 1,337

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: $db_passwd and $ssi_db_passwd stored in a .htpasswd-like file
« Reply #5, on October 3rd, 2012, 12:10 AM »
Quote
Oh, I see. Well I was a bit worried that the password is displayed in plain text.. what if apache/nginx is misconfigured and instead of serving the file (Settings.php), it's downloaded..?
It actually doesn't matter. At some point the file has to be accessible to PHP to send to MySQL. If it's misconfigured, it's misconfigured and you're stuffed anyway.

Though if it is served, for whatever reason, that password is no more vulnerable than it would be before, IMO.
Quote
Also, letting admins move that file around the server (for example in /var/www/something/.. or /home/user/...).. it's more likely to be protected there (it's more difficult to mess with permissions)!
So you're going to make a settings file to record where you're putting the settings file? I'll let you do that while making a settings file to record the location of that settings file.
Quote
It would be useful for adding on more php features to a community without having to make a bridge.
Um, no? It's... nothing whatever to do with this? This is about securing the set up you have and protecting the password that is used from the PHP to talk to the database, not a password the user uses to access the site.

In all honesty it would be better to integrate features rather than relying on the absolutely more primitive method of securing.

To explain: HTTP Basic not only sends the password in plain text, it sends it EVERY SINGLE PAGE REQUEST. Even image requests include the password. You might as well not bother sending the password at all since quite literally any network sniffer anywhere between you and the server can access it.

Sara

  • Walking Contradiction
  • Posts: 41

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278

Sara

  • Walking Contradiction
  • Posts: 41
Re: $db_passwd and $ssi_db_passwd stored in a .htpasswd-like file
« Reply #8, on October 3rd, 2012, 12:19 AM »
I apologize if I'm not up to snuff when it comes to advanced web development.

If you are directing the question towards me, I was thinking of hashed passwords to put outside the web root.  If it's not secure then I guess it's not secure.  I learned something new today.

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: $db_passwd and $ssi_db_passwd stored in a .htpasswd-like file
« Reply #9, on October 3rd, 2012, 12:24 AM »
Quote
I apologize if I'm not up to snuff when it comes to advanced web development.
I'm sorry that I'm being somewhat unfriendly. There's a lot going on. (That, and the fact I get annoyed when I feel like I have to explain something multiple times because I'm not being heard. It's one thing not to understand, it's another to ignore it. If something I'm saying doesn't make sense, ask, don't assume.)
Quote
I was thinking of hashed passwords to put outside the web root.
As explained above, this is not particularly practical (since you have to have an unsecured password somewhere along the line in the actual PHP anyway, everything else is pure misdirection), but on top of that if you put it outside the web root, you actually raise a whole bunch of other problems, namely the insanity that is open_basedir.

In other words, just consider for a moment what I've said above. If you put the configuration outside of the web root, how does Wedge know where to get it? You then have to have configuration somewhere where it knows where to find it... which means you have a configuration file to find a configuration file, which is more than a bit redundant and not to mention making you think you're secure when really you're not any more secure than you were before doing it.

Sara

  • Walking Contradiction
  • Posts: 41
Re: $db_passwd and $ssi_db_passwd stored in a .htpasswd-like file
« Reply #10, on October 3rd, 2012, 12:29 AM »
Like I said, I learned something new today, thank you. :thanks:  I will most likely make a plugin that will hook into avea for my drawing board idea.  But that's for another topic in the maybe-distant future.

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: $db_passwd and $ssi_db_passwd stored in a .htpasswd-like file
« Reply #11, on October 3rd, 2012, 12:38 AM »
Interesting concept, actually. I'm not entirely sure it would be bridged into Aeva (or, Wedge, as it's now called :P) but it's an interesting concept nonetheless. Personally I don't think I'd use either Java or ActiveX were I to go about doing it, I'd probably be trying to use canvas tags (OK it doesn't work on IE below IE9 but that's no big loss to me personally)

Sara

  • Walking Contradiction
  • Posts: 41
Re: $db_passwd and $ssi_db_passwd stored in a .htpasswd-like file
« Reply #12, on October 3rd, 2012, 12:46 AM »
Well, the applet itself is java-based, and it's old as hell.  The creator is MIA for a few years now.  But it still works under most conditions.  (I updated an old plugin for wordpress that allows members to draw on the applet and submit to the media gallery for posting).

I have the function that saves the picture; just need to finagle it and study how wedge submits regular pictures into the gallery, and it might just be crazy enough to work.

PantsManUK

  • [me=PantsManUK]would dearly love to dump SMF 1.X at this juncture...[/me]
  • Posts: 174
Re: $db_passwd and $ssi_db_passwd stored in a .htpasswd-like file
« Reply #13, on October 3rd, 2012, 12:48 AM »
Can't remember where I first got it, but with Apache you can set server variables from inside the config file - you can access these from PHP easily enough, but it's difficult to get at them (as an attacker) if you don't know the variable names. Not impossible, phpinfo() will let you see them (for instance), but a start...
« What is this thing you hoomans call "Facebook"? »

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: $db_passwd and $ssi_db_passwd stored in a .htpasswd-like file
« Reply #14, on October 3rd, 2012, 12:55 AM »
Quote
I have the function that saves the picture; just need to finagle it and study how wedge submits regular pictures into the gallery, and it might just be crazy enough to work.
That's the point: I'd rather write something from scratch that doesn't rely on Java because Java is a massive security problem!
Quote
Can't remember where I first got it, but with Apache you can set server variables from inside the config file - you can access these from PHP easily enough
Sure it is, however you still have to deal with the issue of having to cope with where to get information from - you still have configuration-file-for-a-configuration-file issue to get into or you set up Settings.php to simply pull from .htaccess but that brings up all sorts of other issues.