[FX.php List] [OFF] Security
Tim 'Webko' Booth
tim at nicheit.com.au
Fri Apr 25 18:51:20 MDT 2008
> Hi Folks,
>
> Different Day, Different Challenge.
>
> I had to deal with a client's issue today on a third party shared
> server. It appears that a bot (?) got in and appended a line of
> code to each php file in a WordPress directory:
This is a fairly serious problem - it indicates that whatever did this
managed to get in as either owner or with the group rights for that
directory, as normal files should never be world writable...
>
> None of my code was affected.
>
> Now that I've experienced my first attack, I'm focused on security.
> I'm interested to know if folks store username and passwords in the
> FX/server-data.php file. Or, relocate these "keys to the kingdom"
> remotely? I have seen advise to keep the info out of the web server
> folder altogether.
That password should not be the same as the login to the server - I
use a low level password that can only be used for FileMaker access
through php, to read only (if that's all that's required) or read/
write if that's needed.
But as that password != ftp/web server password, security risk is
correspondingly lower - even if ppl find that password, it's no good
for attcking the web server. They may be abel to use it to access the
FM file, but that (in all honesty) is not really a huge risk compared
to a lot of other things... FM doesn't seem to rate as an application
to be attacked.
If I was to be paranoid, my FM server would be set to only accept
connections from a white-list of IP addresses - I read the logs fairly
frequently, and have never seen a real attack on vectors that would
compromise FM itself though (even back in the days of CDML where there
was a reasonably well-known bug that would read an entire database out
for you...)
YMMV, I guess ;-)
Webko
More information about the FX.php_List
mailing list