Thread: settings.php viewable by the world
View Single Post
  #10 (permalink)  
Old 07-21-2008, 10:13 AM
rspx0 rspx0 is offline
New Pligger
 		 
Join Date: Jul 2008
Posts: 8
Thanks: 1
Thanked 0 Times in 0 Posts
I'll make one last attempt at explaining this :)

1. I sign up for DreamHost's shared hosting. They ask me to enter a FTP username. I type in johnsmith1234.

2. I login to DreamHost's web panel, ftp, sftp, ssh etc using the username johnsmith1234. When I do this, I find that my space on the server -- which is in the /home directory -- is called johnsmith1234. So the path is /home/johnsmith1234. I can't change this. It's how DreamHost does things.

3. I do a one-click install of Pligg using DreamHost. This is installed to a folder named after the domain. Let's say the domain is example.com, so the whole path is now /home/johnsmith1234/example.com/, after which is the Pligg site files and directories.

4. Frankie Hacker stumbles across my website. He's clever enough to know how Pligg works, so he tries to see if any files are accessible that shoudn't be. He tries the install/ directory. Ah, that's gone. He tries settings.php. Ah! An error. Here's what he sees (assuming the site is hosted on a DreamHost server called "bob"):

Warning: include_once(mnmincludesettings_from_db.php) [function.include-once]: failed to open stream: No such file or directory in /home/.bob/johnsmith1234/example.com/settings.php on line 6

Warning: include_once() [function.include]: Failed opening 'mnmincludesettings_from_db.php' for inclusion (include_path='.:/usr/local/php5/lib/php:/usr/local/lib/php') in /home/.bob/johnsmith1234/example.com/settings.php on line 6

So do you see why I'm concerned? He's now got my login name, because it's there in the full path. Sure, he doesn't have my password, but he's only one security vulnerability away from getting access. This username is information that he shouldn't have. This is information that he's being given by Pligg.

The standard instructions to stop this are to alter permissions on the file so it's not publicly accessible but with DreamHost's shared hosting, this doesn't work -- ownerships aren't setup that away. Right now the permissions on the file are -rw------- and it's STILL viewable by the world. And the site works fine.
Reply With Quote