everbright Posted April 22, 2009 Share Posted April 22, 2009 Hi all, I'm currently involved in customizing the Open Source CMS Joomla for usage in a secure environment. One of the security requirements is the need to be able to make it as hard as possible for the server administrators to be able to compromise the database. Unfortunately, Joomla (and I guess almost all PHP application) puts its database connection parameters in clear in its configuration file. OS file permissions will not help as the SAs will be able to compromise that easily. Has anyone had experience with such scenario, and any good implementations that you can share over here? Thanks! Quote Link to comment https://forums.phpfreaks.com/topic/155192-how-to-hide-user-name-and-password-in-configuration-files/ Share on other sites More sharing options...
revraz Posted April 22, 2009 Share Posted April 22, 2009 If you can't trust your SA's, who can you trust. Just about anything you do, they'll have access to won't they? Quote Link to comment https://forums.phpfreaks.com/topic/155192-how-to-hide-user-name-and-password-in-configuration-files/#findComment-816372 Share on other sites More sharing options...
taith Posted April 22, 2009 Share Posted April 22, 2009 If you can't trust your SA's, who can you trust. Just about anything you do, they'll have access to won't they? pretty much sums it up... when you get right down to it... everything is accessable to a SA... if they wanted to break a site... they could just delete the config file... simple enough... Quote Link to comment https://forums.phpfreaks.com/topic/155192-how-to-hide-user-name-and-password-in-configuration-files/#findComment-816379 Share on other sites More sharing options...
JonnoTheDev Posted April 22, 2009 Share Posted April 22, 2009 Store the configuration file somewhere on your server that your admins do not have permission to. Do not store in the web document root. Change the include paths within the CMS to the new location. Quote Link to comment https://forums.phpfreaks.com/topic/155192-how-to-hide-user-name-and-password-in-configuration-files/#findComment-816396 Share on other sites More sharing options...
PFMaBiSmAd Posted April 22, 2009 Share Posted April 22, 2009 An admin could write a .php script in about 30 seconds that could read and display the contents of any file that another .php script can also read. Quote Link to comment https://forums.phpfreaks.com/topic/155192-how-to-hide-user-name-and-password-in-configuration-files/#findComment-816402 Share on other sites More sharing options...
JonnoTheDev Posted April 22, 2009 Share Posted April 22, 2009 An admin could write a .php script in about 30 seconds that could read and display the contents of any file that another .php script can also read. Encrypt with ioncube: http://www.ioncube.com/ However if your admins can update php files then youre pretty much stuffed as they could output all variables from any part of the system. Quote Link to comment https://forums.phpfreaks.com/topic/155192-how-to-hide-user-name-and-password-in-configuration-files/#findComment-816407 Share on other sites More sharing options...
revraz Posted April 22, 2009 Share Posted April 22, 2009 And they can even read the encryption method and probably have access to decrypt it. Quote Link to comment https://forums.phpfreaks.com/topic/155192-how-to-hide-user-name-and-password-in-configuration-files/#findComment-816486 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.