| Re: Forum displays PHP code, not website [message #177375 is a reply to message #177372] |
Thu, 22 March 2012 09:41   |
Erwin Moller
Messages: 228
Registered: September 2010
Karma:
|
Senior Member |
|
|
On 3/22/2012 4:20 AM, P E Schoen wrote:
> "Dave Pyles" wrote in message news:jkdv3n$s61$1(at)dont-email(dot)me...
>
>> P E Schoen wrote:
>>> Last night I wanted to check out a forum http://www.mytractorforum.com/,
>>> but instead of showing the forum, it displays the PHP code. I thought it
>>> was a temporary glitch, but it's going on almost 24 hours now. I don't
>>> really know how to contact them. But I'm wondering what may have
>>> happened. Hacked?
>>>
>>> Thanks,
>
>> Seems to be working correctly now.
>
> I tried again, and still saw the problem, but it was reloading the page
> from the cache. A refresh cleared it up. I still wonder what could have
> caused the source to be displayed. Would this happen if the PHP
> application on the server was missing or defective?
>
> Thanks,
>
> Paul
Hi Paul,
The annoying thing that just happened to you also nicely demonstrates
why you should store your database credentials OUTSIDE the webroot.
I hope you did!
A simple guess like requesting any of the following might reveal the
right connectstring:
/db.php
/database.php
/connect.php
etc.
Or when the attacker knows you run, for example, CodeIgniter, they can
"guess" the right place where to find it (application/config/database.php).
(Please note that leaking the connectstring doesn't mean that an
attacker can access the database over TCP/IP, but it is better avoided
to leak it anyway. I set up my postgresql without tcp/ip connecting for
that reason, only local access via Unix Domain sockets.)
Regards,
Erwin Moller
PS: Make sure you complain about this at your ISP!
--
"That which can be asserted without evidence, can be dismissed without
evidence."
-- Christopher Hitchens
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]