Okay, I really hate it when I have to get serious, but this is a serious issue that needs a solution to it, thinking a security patch needs to be done on this one. I was talking with another member who got some index.php files dropped on their server and this when we realized how large the risk is.
Each of us has a file on our sites (I'm not saying the name of the file as crackers do come in here from time to time and this is a large issue) that contains in it the most sensitive information our sites have. It's basically the key to everything that sits on our servers and is a free pass to anyone who obtains it and knows how to access servers once they have it.
I"m specifically talking about the username & password that sits in a file on all dolphin installs and only runs 644 permissions. With this file, anyone who is able to open it and knows what they are looking at will get, unencrypted the passwords to our DB's & FTP's with almost nothing we can do about it. Think about this for a moment.
If a hacker manages to find their way into the server via anonymous FTP, crossing from site to site in a shared server and so on, then they can open up the file that every single page calls, access the DB, change tables, steal data, export your entire site, upload new files via FTP, change server configurations and so many more fun little things.
Now, Boonex has taken the time with Dolphin to encrypt all user passwords for the members and even into the Admin Panel, but there is NO encryption of the password sitting right there in the files not very far from the root directory and the file is screaming out with it's name what it is. Just begging a cracker to open it. (**Note: Crackers are the ones that destroy things, drop malicious code, break into servers and so on. Hackers are individuals of high intelligence who when presented with a problem will play with the code and look for a solution. Let's not beat on the hackers with this post)
Now, we can drop a blank index.html file into every directory to reduce risks, phpBB3 does that with their base install.
We can lock down FTP on the server from all IP's except our own. But when you travel like myself and others, that is not always a viable solution as we don't always know what our IP will be from day to day.
Mrpowless posted some type of solution for the .htaccess files, but I can't find it right now.
In the end though, we're looking for the guys who know servers, dolphin & sql DB's to hop in here and possibly show a way that this can be resolved. I know we have to have the password there, but is there a way to encrypt that pw for when someone is looking at the file and still enable the sites to run?
Let's here the ideas on this one... And Boonex, this should be at the top of the lists for D7 as I'm pretty sure it has the same issue.
If you have decent virus/anti malware on your computer to detects RATs, and don't store your ftp login info in your ftp program, you're pretty safe.
Most of the iframe injections on servers are not done with the intent of hacking the server. It is usually the hackers intent that the iframe be see more
To be honest I do not see a password being stored in a file as a big problem. I have done a fair few Oracle database installs where there was no other option than see more
Only a 0000 perm will ensure a file can be read by noone, of course that means your site will only throw error pages too!
On most secure systems, or systems that process Credit Card data, they use a hash to store the Credit Card data. This hash requires one to KNOW the passphrase or PIN to actually decode the data that is stored. Although this is extremely see more