WebApp Sec mailing list archives
Re: MYSQL and PHP
From: "Gerald Quakenbush" <geraldq () mastermindsecuritygroup com>
Date: Tue, 16 May 2006 14:05:28 -0400
Absolutely - if all you do is store the passwords in a file and then need a key to decrypt the file you have to figure out what to do with that key. There is no such thing as a security system that is both useful and impenetrable. Often our job as security professionals is to "raise the bar" on security to make systems hard enough to penetrate that system compromise becomes a manageable risk. Thus, encrypting that file and managing the keys carefully raises the bar. There are a variety of key management strategies; some of them are pretty complicated. The more diligent you get with key management the more complex your software may become. One PHP app I seen a while back had a username and password in the PHP source much like that shown in the original post here. However, that username and password only had SELECT access on a table that was used to validate the user's credentials and one other table that held additional database access information. Not a perfect solution, but raises the bar a bit. Another solution I've seen is to store the keys on another system, typically behind another firewall. When the application starts, it would have to make a connection to the key server, authenticate in some manner, and retrieve the key. If the hacker roots the box, it is only a matter of time until he can figure this all out, but slowing down the hacker is the whole idea. Gerald Quakenbush Author of 'Web Hacker Boot Camp' http://www.quakenbush.com Robin Wood (dninja () gmail com) wrote:
On 5/16/06, Gerald Quakenbush <geraldq () mastermindsecuritygroup com> wrote:John - Of course, one should also get the code updated and have it read and encrypted file and decrypt the credentials. Gerald Quakenbush Author of 'Web Hacker Boot Camp' http://www.quakenbush.comDoesn't this give you a chicken and egg situation of where do you store the key for the encrypted file?
------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire named worldwide market share leader in web application security assessment by leading market research firm. Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download a Free Trial of AppScan 6.0 today! https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c --------------------------------------------------------------------------
Current thread:
- MYSQL and PHP John Madden (May 15)
- Re: MYSQL and PHP Mark Sanders (May 16)
- Re: MYSQL and PHP Robin Wood (May 16)
- Re: MYSQL and PHP Todd Hendricks (May 16)
- Re: MYSQL and PHP Gerald Quakenbush (May 16)
- Re: MYSQL and PHP Robin Wood (May 16)
- Re: MYSQL and PHP Gerald Quakenbush (May 16)
- Re: MYSQL and PHP bugtraq (May 16)
- Re: MYSQL and PHP Reid Nichol (May 17)
- Re: MYSQL and PHP Robin Wood (May 16)
- Re: MYSQL and PHP r0xes (May 16)
- Re: MYSQL and PHP Kevin Johnson (May 16)
- Re: MYSQL and PHP Jason Ross (May 16)
- Re: MYSQL and PHP Klientų aptarnavimas (May 16)
- Re: MYSQL and PHP Kirk . Johnson (May 16)
- Re: MYSQL and PHP Ed J. Aivazian (May 17)
- <Possible follow-ups>
- Re: MYSQL and PHP wilson . amajohn (May 17)
- RE: MYSQL and PHP Wall, Kevin (May 18)
(Thread continues...)