[Chicago] Handling secret stuff: update

Nick Timkovich prometheus235 at gmail.com
Tue May 17 01:01:38 EDT 2016


I know practically nothing about PHP, but if your server is configured such
that users can view its source over HTTP, that sounds insane. Apache or
whatever shouldn't naively handle a request to a *.php URL. If you have PHP
questions, I'd ask that community, but some quick Googling:

http://stackoverflow.com/questions/2995360/possible-to-view-php-code-of-a-website
https://cwe.mitre.org/data/definitions/541.html


On Mon, May 16, 2016 at 9:39 PM, Matthew Erickson <matt at soulrobotic.com>
wrote:

> While we're jumping on security bandwagons, if keys could be extracted
> from web servers with relative ease, SSL would be more broken than it
> already is.
>
> -- Matt
>
> On May 16, 2016, at 21:16, Chris Foresman <foresmac at gmail.com> wrote:
>
> Also, I’m guessing that PHP has some way to read in environment variables
> from the server its running on; this is typically the method used to secure
> API keys and the like on Django/Python web servers. Is this not an option
> for you?
>
>
> Chris Foresman
> foresmac at gmail.com
>
>
>
>
> On May 16, 2016, at 7:43 PM, Adam Forsyth <adam at adamforsyth.net> wrote:
>
> Leon,
>
> Please stop changing the subject of the thread, it makes it harder to
> follow the conversation and clutters up peoples' inboxes.
>
> You're mistaken about it being a security problem if "dosomething.php"
> contains the secret key. If your web server is being configured correctly,
> the user of the site can't actually see the contents of "dosomething.php".
> The web server uses a PHP plugin to run "dosomething.php" as a program, and
> then sends its output to the web browser. So the contents of that file are
> secure -- anyone who has access to it already has access to the secret key.
>
>
> On Mon, May 16, 2016 at 5:02 PM, Leon Shernoff <
> leon at mushroomthejournal.com> wrote:
>
>> Hi, everyone
>>
>> and thanks for the suggestions!
>>
>> Thanks, Philip and Joshua. I have been reading OWASP and they are a big
>> part of what scared *me* wrt this situation. :-)
>>
>> Nick, I don't know how Django works. But @ the "code trail", Wordpress
>> runs on php, which means that when you have a form on a page that's
>> supposed to do stuff, the form says
>> <form action="complete_pathname/dosomething.php" method="post">
>> and the dosomething.php file is unencrypted text. If the that file
>> contains or just is able to access the secret API key, I have a security
>> problem. While a would-be hacker may not (shouldn't!) have permissions to
>> get to that php file, they at least know where to look, or perhaps they can
>> devise some method of triggering the form's actions and having its results
>> directed to them. JavaScript has a similar problem -- any action you want a
>> page to take is written down in unencrypted pages that are interpreted
>> live. It sounds from what you're saying that Django has layers between the
>> pages that it serves and code that it runs that make this not a problem.
>>
>> In any case, this is the motivation behind my provisional idea of
>> (something like) Japhy's solution -- I'm not running the host server, but
>> at least perhaps I can trigger the more sensitive part of the operation by
>> scheduled actions which are independent of anything that happens via a
>> browser.
>>
>> Thanks again. Your ideas help me think. :-)
>>
>> --
>> Best regards,
>>     Leon
>>
>> "Creative work defines itself; therefore, confront the work."
>>      -- John Cage
>>
>>
>> Leon Shernoff
>> 1511 E 54th St, Bsmt
>> Chicago, IL  60615
>>
>> (312) 320-2190
>>
>> _______________________________________________
>> Chicago mailing list
>> Chicago at python.org
>> https://mail.python.org/mailman/listinfo/chicago
>>
>
> _______________________________________________
> Chicago mailing list
> Chicago at python.org
> https://mail.python.org/mailman/listinfo/chicago
>
>
> _______________________________________________
> Chicago mailing list
> Chicago at python.org
> https://mail.python.org/mailman/listinfo/chicago
>
>
> _______________________________________________
> Chicago mailing list
> Chicago at python.org
> https://mail.python.org/mailman/listinfo/chicago
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/chicago/attachments/20160517/b519c9b9/attachment-0001.html>


More information about the Chicago mailing list