NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Php exposes root password in clear text
HI All,
I apologize - I don't know where this post belongs. I installed php5.3 from readynasextras in order to install owncloud. In the process, since I had screwed around with stuff, I pulled a phpinfo() result off the site and discovered the root password for the ReadyNAS exposed at the end of the page. I don't know if this is something that ever gets exposed publicly once I open it up (internal to my private network for now) or something I should be worried about (I am) and some php searching has not turned up the answer to this question, so I pose it here, hoping you will point me in the right direction. I know my way around UNIX and by extension to some degree Linux, but it has been a while, I have been having fun growing my ReadyNAS to meet more "needs" - I had no idea it was so capable. But as I migrate to an android phone I have to have a calendar server that is not run out of the G-plex.
How do I block my root password, or any password for that matter, from being exposed? Apologize again - this seems like such a rookie question.
Thanks much,
Byron
I apologize - I don't know where this post belongs. I installed php5.3 from readynasextras in order to install owncloud. In the process, since I had screwed around with stuff, I pulled a phpinfo() result off the site and discovered the root password for the ReadyNAS exposed at the end of the page. I don't know if this is something that ever gets exposed publicly once I open it up (internal to my private network for now) or something I should be worried about (I am) and some php searching has not turned up the answer to this question, so I pose it here, hoping you will point me in the right direction. I know my way around UNIX and by extension to some degree Linux, but it has been a while, I have been having fun growing my ReadyNAS to meet more "needs" - I had no idea it was so capable. But as I migrate to an android phone I have to have a calendar server that is not run out of the G-plex.
How do I block my root password, or any password for that matter, from being exposed? Apologize again - this seems like such a rookie question.
Thanks much,
Byron
3 Replies
Replies have been turned off for this discussion
- More specifically:
_SERVER["PHP_AUTH_USER"] admin
_SERVER["PHP_AUTH_PW"] xxxxxxxxxx - First, I recommend admin and root have separate passwords.
As long as you have PHP files under a http/https path that requires auth, those values will likely be available to be read. If you use the HTTP setting for a read-only share to serve pages, it should not show up; if it does, scary indeed.
There may be a php.ini setting to exclude those somehow also. chirpa wrote: First, I recommend admin and root have separate passwords.
That would be the best approach.chirpa wrote: As long as you have PHP files under a http/https path that requires auth, those values will likely be available to be read. If you use the HTTP setting for a read-only share to serve pages, it should not show up; if it does, scary indeed.
Also, the output of phpinfo(); should never be exposed to users. It is and always was intended as a debugging help for PHP developers. The same is true for the $_SERVER variables which normally are only used internally and shouldn't get echoed to the user in a normal application.chirpa wrote: There may be a php.ini setting to exclude those somehow also.
Not that I would know. As it is, the behavior described is actually the way it is intended by PHP and as with other programming languages, internal variables aren't meant to be exposed. For the PHP_AUTH stuff: This will always display the information for the *current authenticated user* which means that an unauthenticed user, even if able to request the phpinfo(); output wouldn't get those values for he/she isn't authenticated. Every authenticated user would only get *his* personal credentials which he/she should already know. So not much of a security issue there either.
-Stefan
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
