I'm interested in comments and strategies for protecting PHP config files, particularly those with Db credentials.
The stock advice, set the file extension to *.php, is fine as far as it goes, but it does not protect against directory perusal attacks. The particular scenario I'm considering:
- We have a server that hosts a variety of third party apps.
- We cannot thoroughly vet all apps
- If an attacker compromises an app, they can potentially use that app to read files from other directories. Db config files are an obvious target.
I have a solution, one that seems to have merit, but I'm not entirely comfortable with it. I'd love to hear comments on it, as well as
- find what php_include is set to
- place the config file in that directory
- make sure the require/include statements that load the config do not specify hard path (no leading ./ etc.)
GOALS
hides the config file completely from an errant sister web app (and more importantly from the webserver itself).
obscures the actual location of the config file. It cannot easily be determined from reading the code. This is opposed to specifying a path outside of the web tree.
minimal intervention, both on a server level and on an app level.
Avoids hard coding the path.
This does not address config file name conflicts, although more then a few apps it's probably worth changing the include config file name.
Unfortunately a lot of our web apps appear to require hard coded paths.
What approaches have others come up with?
Standard advice applies:
Even better advice:
Hiding config files as you suggest seems futile, once an attacker has control of your system in this way, it's game over anyway. You are just making your own job harder of maintaining your webs apps harder with little security gain.