Is it safe that config.php contain site admin ID and password?

thomasdog

Joined: 2006-03-22
Posts: 34

Posted: Thu, 2006-04-06 14:25

I found that my site admin account ID and password is in plain text in gallery2/config.php. I tried to access it through a browser and nothing is shown. I just feel a little unsecure that these information is stored in a place where anybody can access. Is it safe?

systemX

Joined: 2004-11-04
Posts: 147

Posted: Thu, 2006-04-06 15:52

if you have set the right permissions for config.php, you dont need to be afraid.
you are asked to chmod it back to 644 after installation.
it is safe as others cannot access it as they do not have permission to do so.

shocksll

Joined: 2005-06-22
Posts: 352

Posted: Thu, 2006-04-06 16:40

Also, the only time this userid is used is when upgrading a site. So, if you change your admin userid in gallery2 it won't change the config.php. So if your password in gallery2 for the admin account is different than the config.php password, the only vunerable time you have is after you copy new gallery2 code over your existing website, someone else who knew the password can then upgrade your site and do anything during that process. I feel like that's kind of slim chances.

Steve Lineberry

valiant

Joined: 2003-01-04
Posts: 32509

Posted: Fri, 2006-04-07 04:38

please read:
http://codex.gallery2.org/index.php/Gallery2:Security

summary:
on a shared webosting account, you risk that other account owners on the same webhoster can read (see) your config.php contents.
so i suggest that you use a password for your web scripts that isn't used for anything else. e.g. don't use the password that you use for e'banking for your web gallery.

thomasdog

Joined: 2006-03-22
Posts: 34

Posted: Mon, 2006-04-10 08:28

If I am on a Windows Xp machine, what is the equivalent to chmod 644?

valiant

Joined: 2003-01-04
Posts: 32509

Posted: Tue, 2006-04-11 05:06

writeable for the owner of the files, readable for everyone else.

SFjames

Joined: 2008-12-18
Posts: 6

Posted: Fri, 2008-12-19 18:31

I was just going to ask about this very issue and a search delivered this thread. It is considered very bad form to have ANY file in the /www/html/ tree to have ANY user names or passwords in them. It is considered a very big security hole.

What I am now wondering is this code full of holes and I will have to spend weeks going over it line by line ?

For now I will try to move the config.php file to a directory out of the /www/html/ tree and access it via an include. If anyone has another work around this issue, please let me know.

I am aware that one can set the rights to the file, however, that is a sloppy and not recommended way to handle php script in the /www/html tree.

Thanks, James

floridave

Joined: 2003-12-22
Posts: 25965

Posted: Fri, 2008-12-19 21:42

Quote:

What I am now wondering is this code full of holes and I will have to spend weeks going over it line by line ?

You are welcome to and if you find anything you can get paid:
http://codex.gallery2.org/Bounties#Security_Bounties

But read this as well:
http://codex.gallery2.org/Gallery2:Security
and you will find that G2 has had an external security audit by GDS as well as others.
http://gallery.menalto.com/gallery_security_and_gds

Dave

_____________________________________________
Blog & G2 || floridave - Gallery Team

thomasdog Joined: 2006-03-22 Posts: 34	Posted: Thu, 2006-04-06 14:25
	I found that my site admin account ID and password is in plain text in gallery2/config.php. I tried to access it through a browser and nothing is shown. I just feel a little unsecure that these information is stored in a place where anybody can access. Is it safe?
	XUser login Username: * Password: * Create new account Request new password
systemX Joined: 2004-11-04 Posts: 147	Posted: Thu, 2006-04-06 15:52
	if you have set the right permissions for config.php, you dont need to be afraid. you are asked to chmod it back to 644 after installation. it is safe as others cannot access it as they do not have permission to do so.

shocksll Joined: 2005-06-22 Posts: 352	Posted: Thu, 2006-04-06 16:40
	Also, the only time this userid is used is when upgrading a site. So, if you change your admin userid in gallery2 it won't change the config.php. So if your password in gallery2 for the admin account is different than the config.php password, the only vunerable time you have is after you copy new gallery2 code over your existing website, someone else who knew the password can then upgrade your site and do anything during that process. I feel like that's kind of slim chances. Steve Lineberry

valiant Joined: 2003-01-04 Posts: 32509	Posted: Fri, 2006-04-07 04:38
	please read: http://codex.gallery2.org/index.php/Gallery2:Security summary: on a shared webosting account, you risk that other account owners on the same webhoster can read (see) your config.php contents. so i suggest that you use a password for your web scripts that isn't used for anything else. e.g. don't use the password that you use for e'banking for your web gallery.

thomasdog Joined: 2006-03-22 Posts: 34	Posted: Mon, 2006-04-10 08:28
	If I am on a Windows Xp machine, what is the equivalent to chmod 644?

valiant Joined: 2003-01-04 Posts: 32509	Posted: Tue, 2006-04-11 05:06
	writeable for the owner of the files, readable for everyone else.

SFjames Joined: 2008-12-18 Posts: 6	Posted: Fri, 2008-12-19 18:31
	I was just going to ask about this very issue and a search delivered this thread. It is considered very bad form to have ANY file in the /www/html/ tree to have ANY user names or passwords in them. It is considered a very big security hole. What I am now wondering is this code full of holes and I will have to spend weeks going over it line by line ? For now I will try to move the config.php file to a directory out of the /www/html/ tree and access it via an include. If anyone has another work around this issue, please let me know. I am aware that one can set the rights to the file, however, that is a sloppy and not recommended way to handle php script in the /www/html tree. Thanks, James

floridave Joined: 2003-12-22 Posts: 25965	Posted: Fri, 2008-12-19 21:42
	Quote: What I am now wondering is this code full of holes and I will have to spend weeks going over it line by line ? You are welcome to and if you find anything you can get paid: http://codex.gallery2.org/Bounties#Security_Bounties But read this as well: http://codex.gallery2.org/Gallery2:Security and you will find that G2 has had an external security audit by GDS as well as others. http://gallery.menalto.com/gallery_security_and_gds Dave _____________________________________________ Blog & G2 \|\| floridave - Gallery Team

Is it safe that config.php contain site admin ID and password?

XUser login