Is a plaintext password in a CGI script a security hole?

Question

Is a plaintext password in a CGI script a security hole?

I read that with your web server everything can go wrong, which can lead to the display of PHP scripts as text files in a web browser; therefore, I have moved most of my PHP scripts to a directory outside the root of the website. Now I was wondering if this could happen with CGI scripts in my cgi-bin.

My main problem is one script that contains username and password for my MySQL database. If this is a possible security hole (at least with regard to the contents of the database), is there a way to place sensitive data in another place and get from there (for example, saving it in a file in another directory and reading it from this file, for example)? My scripts are written in Perl.

+6

security perl webserver cgi cgi-bin

canavanin Dec 01 '10 at 15:34

source share

6 answers

One mention worth mentioning is shared hosting.

If you are using a host shared with other users, it may not be possible to hide the password from them. It depends on the configuration details for the OS and the web server.

For example, on Linux, there is usually an Apache configuration on which the only user offering a website to read files or write to a web server user must make them read / write to all users.

You can trust all these users so that they do not abuse it themselves, but if one of these sites has a vulnerability that allows attackers to view the entire file system, the attacker could use it on all other sites.

There are countermeasures against this, but they complicate the situation for users, so many hosters do not implement them.

+3

reinierpost Jan 25 '12 at 9:46

source share

This is definitely a security issue. You must store the password encrypted in a separate file, and make sure that only your application is available to it.

+1

esmiralha Dec 01 '10 at 15:40

source share

It is definitely not recommended to write a password in a script if you can avoid it. Fortunately, both Postgres and MySQL support loading database credentials from a file. For Postgres you use ~ / .pgpass, and for MySQL I believe ~ / .my.cnf. In any case, you must configure permissions so that only the user on which the script is running has permission to read the file. The advantage of this approach is that you do not need to write code to read the file - the DB client library does this automatically.

+1

Grant mclean Dec 02 '10 at 9:06

source share

If you are using a directory configured as cgi-bin, there is no way to display the file except for an Apache configuration error. If you use Perl programs outside the cgi-bin directories, but inside the root site, this can happen.

In addition, you can configure the database to accept connections only from the local socket, so knowing the database password would be useless.

0

Alexandr Ciornii Dec 01 '10 at 20:12

source share

You already have better answers than I can provide, but as a note:

A very bad form of storing passwords in the form of plaintext, period.

In the same way, a very bad form for overwriting or deleting files without user permission. If you do, it will bite you or your client in the butt in the end.

0

Schilcote Apr 21 '13 at 0:19

source share

Quentin · Accepted Answer · 2010-12-01T15:41:01+0000

I read that with your web server everything can go wrong, which can lead to the display of PHP scripts as text files in a web browser; therefore, I have moved most of my PHP scripts to a directory outside the root of the website. Now I was wondering if this could happen with CGI scripts in my cgi-bin.

Yes. If something goes wrong, which leads to the fact that the programs will be served instead of execution, then any of their contents will be revealed. This is exactly the same problem as for PHP (except that, as a rule, cgi-bin directories are configured (i.e. aliased to a directory outside the root of the website), this is a bit more complicated for problems to arise).

My main problem is one script that contains username and password for my MySQL database. If this is a possible security hole (at least with regard to the contents of the database), is there a way to place sensitive data in another place and get from there (for example, saving it in a file in another directory and reading it from this file, for example)?

Yes. That’s it, just make sure the directory is outside of webroot.

For added security, make sure that the database only accepts credentials for connections from the minimum set of hosts that need to access it. for example, if the database is on the same server as the web server, then only allow credentials for the local host. In this case, it would also be useful if the database could listen only to the local network interface.

My scripts are written in Perl.

I would like to use one of Config :: * for this.

Is a plaintext password in a CGI script a security hole?

More articles: