Perl CGI scripts with read access contain passwords to database 
Author Message
 Perl CGI scripts with read access contain passwords to database

I am using an ISP that runs Apache under the user nobody.  In order
for Apache to be able to read and execute my Perl CGI scripts it needs
global read and exec access (only global read for the modules I
think).  The problem is that one of my modules contains the userid and
password to my Mysql database and hence anyone who has access to the
ISP's  filesystem can mess my database up.

How do I prevent this?

O.
------------------



Fri, 14 May 2004 20:46:20 GMT  
 Perl CGI scripts with read access contain passwords to database


Quote:
> I am using an ISP that runs Apache under the user nobody.  In order
> for Apache to be able to read and execute my Perl CGI scripts it needs
> global read and exec access (only global read for the modules I
> think).  The problem is that one of my modules contains the userid and
> password to my Mysql database and hence anyone who has access to the
> ISP's  filesystem can mess my database up.

#1 Make sure you pick a trustworthy web hosting provider
#2 Make sure that if someone steals the username/pass for the database and
log on, it will allow them to do minimal to zero changes (maybe permissions
to only do SELECT queries). This is a restriction that's implemented on the
database side
#3 Not really a great idea, but use security through obscurity. Try to
obfiscuate your password to an extent that a casual sysadmin will not be
able to figure it out. Think of a neat way to do 2-way enc/dec/ryption and
store the password in the encrypted form, to be encrypted dynamically at
runtime.
#4 See if you can compile the script or delegate the password setting to a
compiled piece. Note that statically declared strings in source code are
often seen as plaintext inside a compiled binary executable, so you might
want to use this option in conjunction with option #3

That's all I can think of. Hopefully someone will provide better ideas.

Quote:

> How do I prevent this?

> O.
> ------------------




Fri, 14 May 2004 22:59:36 GMT  
 Perl CGI scripts with read access contain passwords to database

Quote:

> I am using an ISP that runs Apache under the user nobody.  In order
> for Apache to be able to read and execute my Perl CGI scripts it needs
> global read and exec access (only global read for the modules I
> think).  The problem is that one of my modules contains the userid and
> password to my Mysql database and hence anyone who has access to the
> ISP's  filesystem can mess my database up.

> How do I prevent this?

Find an ISP that runs apache suexec option or separate cgiwrap so you can
run CGI with 700 permission and access 600 data files.

I was going to suggest suidperl or an suid C wrapper which could limit
direct access to the data, but someone might still be able to manipulate
the script through their own CGI (if not the shell).  But you could thwart
with that by requiring a password, which would be entered as regular text,
but would be compared with a crypted password (in the script or elsewhere)
before the script would do anything.

For a webshell.cgi that can execute arbitrary shell commands, I use both a
crypted password entered from a confusing form, and compare REMOTE_ADDR
against my static IP.  Hm, maybe I should crypt my IP too.

--
David Efflandt - All spam is ignored - http://www.de-srv.com/
http://www.autox.chicago.il.us/  http://www.berniesfloral.net/
http://cgi-help.virtualave.net/  http://hammer.prohosting.com/~cgi-wiz/



Sat, 15 May 2004 07:26:29 GMT  
 Perl CGI scripts with read access contain passwords to database
On Mon, 26 Nov 2001 16:59:36 -0500, "Mina Naguib"

Quote:



>> I am using an ISP that runs Apache under the user nobody.  In order
>> for Apache to be able to read and execute my Perl CGI scripts it needs
>> global read and exec access (only global read for the modules I
>> think).  The problem is that one of my modules contains the userid and
>> password to my Mysql database and hence anyone who has access to the
>> ISP's  filesystem can mess my database up.

>#1 Make sure you pick a trustworthy web hosting provider

It's really the other users to the filesystem that worry me.

Quote:
>#2 Make sure that if someone steals the username/pass for the database and
>log on, it will allow them to do minimal to zero changes (maybe permissions
>to only do SELECT queries). This is a restriction that's implemented on the
>database side

Not really possible since need to insert, delete, update rows during
the course of running the application.

Quote:
>#3 Not really a great idea, but use security through obscurity. Try to
>obfiscuate your password to an extent that a casual sysadmin will not be
>able to figure it out. Think of a neat way to do 2-way enc/dec/ryption and
>store the password in the encrypted form, to be encrypted dynamically at
>runtime.

Not possible to hide the key.  Stops casual cribs

Quote:
>#4 See if you can compile the script or delegate the password setting to a
>compiled piece. Note that statically declared strings in source code are
>often seen as plaintext inside a compiled binary executable, so you might
>want to use this option in conjunction with option #3

I connect to the db using DBI which as far as I am aware is
interpreted.  Could I call a compiled prog which in tern calls a Perl
function and still handle all of the handles $dbh etc.

Quote:

>That's all I can think of. Hopefully someone will provide better ideas.

Thanks for the ideas.

Quote:

>> How do I prevent this?

>> O.
>> ------------------


------------------



Sat, 15 May 2004 11:24:34 GMT  
 Perl CGI scripts with read access contain passwords to database

Quote:

>It's really the other users to the filesystem that worry me.

Then your best bet is to make the scripts only readable/executable by
you as user, and SUID-execute it. (e.g. CGIwrap, SUIDexec)

--
        Bart.



Sat, 15 May 2004 16:30:03 GMT  
 
 [ 5 post ] 

 Relevant Pages 

1. Hiding Database password in a CGI script.

2. Perl cgi with Foxpro database or Access database

3. Password Access CGI script

4. Perl Database interface to a Microsoft Access database MS-Access

5. Perl Database interface to a Microsoft Access database MS-Access

6. Perl Database interface to a Microsoft Access database MS-Access

7. please help - cgi database access script / program for web page

8. Accessing passwords via a perl script...

9. Updating Access database using Perl/CGI

10. Converting ACCESS database to PERL/CGI

11. Perl/CGI and Database Access

12. Accessing ACSII database info using CGI/Perl

 

 
Powered by phpBB® Forum Software