[FX.php List] [OFF] Security

Tim 'Webko' Booth tim at nicheit.com.au
Fri Apr 25 18:51:20 MDT 2008



> Hi Folks,
>
> Different Day, Different Challenge.
>
> I had to deal with a client's issue today on a third party shared  
> server.  It appears that a bot (?) got in and appended a line of  
> code to each php file in a WordPress directory:

This is a fairly serious problem - it indicates that whatever did this  
managed to get in as either owner or with the group rights for that  
directory, as normal files should never be world writable...
>
> None of my code was affected.
>
> Now that I've experienced my first attack, I'm focused on security.  
> I'm interested to know if folks store username and passwords in the  
> FX/server-data.php file. Or, relocate these "keys to the kingdom"  
> remotely?  I have seen advise to keep the info out of the web server  
> folder altogether.

That password should not be the same as the login to the server - I  
use a low level password that can only be used for FileMaker access  
through php, to read only (if that's all that's required) or read/ 
write if that's needed.

But as that password != ftp/web server password, security risk is  
correspondingly lower - even if ppl find that password, it's no good  
for attcking the web server. They may be abel to use it to access the  
FM file, but that (in all honesty) is not really a huge risk compared  
to a lot of other things... FM doesn't seem to rate as an application  
to be attacked.

If I was to be paranoid, my FM server would be set to only accept  
connections from a white-list of IP addresses - I read the logs fairly  
frequently, and have never seen a real attack on vectors that would  
compromise FM itself though (even back in the days of CDML where there  
was a reasonably well-known bug that would read an entire database out  
for you...)

YMMV, I guess ;-)

Webko


More information about the FX.php_List mailing list