|
|
|
|
|
|
by jamessocol
5076 days ago
|
|
|
>> Are directories only writeable by the web server user? NB: The next point is "Do all of them even need to be? Are you sure?" > A blisteringly common one not mentioned is database authentication details inside .pl, .py or .php scripts. I am not sure that's so obvious. Most web servers will serve a .ini or .yml file as plain text, if it's in the wrong spot. On the other hand, a PHP file like https://gist.github.com/3177788, even if it's in the web directory, can't leak the data without some other compromise--and the type of compromise required would generally give you access to any of the values in the .ini file, anyway. But, see also #5: "Are your firewall rules restrictive enough?" If I can even connect, let alone authenticate, to your database from the web, you have bigger problems. GCC is an excellent point, though. |
|
|
>> NB: The next point is
Yes but I didn't want to write a counter point to each point. I'd taken the view from the listing of possible problems presented that the basics weren't being considered. It reads as a list of random points in a large space rather than a comprehensive listing.
To give a specific example, the article talks about writable concerns when really we want to be ensuring readable gets the same treatment.
>> even if it's in the web directory, can't leak the data without some other compromise
Or a config error (a botched upgrade disabling mod_php could do the trick, or more obscurely a content negotiation oversight), or a leaked backup (another common one - storing random backups under www root)... There's more than one way to skin a cat as they say.
>> If I can even connect
You're often better to view security as something you provide in layers. I wouldn't expect to be able to hit port 3306 from here, but if you're not expecting me to ever be inside your network, then priviledge escalation is going to be fairly quick for me once i surprise you by getting in.