- Posts: 92
Question Security issue (db data - pass) in config.ini.php - option to resolve
- webtreesFUN
- Topic Author
- Offline
- New Member
Less
More
10 months 1 week ago #1
by webtreesFUN
Security issue (db data - pass) in config.ini.php - option to resolve was created by webtreesFUN
I'm looking option to prevent acces to data base by crypting pass to db
1.In begin of instalation db pass is required but saved in config.ini.php as encrypted, eg:
2. If pass is plain text after change, then file is changed to replace for encrypted
or
- probably need a option
1.In begin of instalation db pass is required but saved in config.ini.php as encrypted, eg:
Code:
dbpass="md5_hash_482c811da5d5b4bc6d497ffa98491e38
Code:
<?php
// Function to encrypt password
function encryptPassword($password, $encryption_key) {
// Here, you would implement your encryption algorithm
// For example, you can use OpenSSL or any other encryption library
// For demonstration purposes, let's assume simple base64 encoding
$encrypted_password = base64_encode($password);
return $encrypted_password;
}
// Function to generate config.ini.php file with encrypted password
function generateConfigFile($db_password, $encryption_key, $encrypt_password) {
if ($encrypt_password) {
$db_password = encryptPassword($db_password, $encryption_key);
}
$config_content = "
[database]
dbpass=\"$db_password\"
";
file_put_contents("config.ini.php", $config_content);
}
// Function to decrypt password
function decryptPassword($encrypted_password, $encryption_key) {
// Here, you would implement your decryption algorithm
// For example, if using OpenSSL:
// $decrypted_password = openssl_decrypt($encrypted_password, 'aes-256-cbc', $encryption_key);
// return $decrypted_password;
// For demonstration purposes, let's assume simple base64 decoding
$decrypted_password = base64_decode($encrypted_password);
return $decrypted_password;
}
// Installation process
function install($encrypt_password = true) {
$db_password = ""; // Provide the unencrypted password here during installation
$encryption_key = "your_encryption_key"; // Provide your encryption key here
// Generate config.ini.php file with encrypted password if specified
generateConfigFile($db_password, $encryption_key, $encrypt_password);
echo "Installation completed successfully.";
}
// Example installation with option to encrypt password
install(); // Pass true or false to encrypt the password or not
?>
or
Code:
<?php
// Function to generate MD5 hash of password
function generateMD5Hash($password) {
return md5($password);
}
// Function to check if the password needs encryption
function needsEncryption($db_password) {
// Check if the password is already hashed
return !preg_match('/^[a-f0-9]{32}$/', $db_password);
}
// Function to encrypt password if needed and generate config.ini.php file
function generateConfigFile($db_password, $encrypt_password) {
if ($encrypt_password && needsEncryption($db_password)) {
$db_password = generateMD5Hash($db_password);
}
$config_content = "
[database]
dbpass=\"$db_password\"
";
file_put_contents("config.ini.php", $config_content);
}
// Installation process
function install($encrypt_password = true) {
$db_password = ""; // Provide the unencrypted password here during installation
// Generate config.ini.php file with MD5 hashed password if specified
generateConfigFile($db_password, $encrypt_password);
echo "Installation completed successfully.";
}
// Example installation with option to encrypt password
install(); // Pass true or false to encrypt the password or not
?>
- probably need a option
Code:
dbpass_encrypt = "true"
Code:
<?php
// Function to generate MD5 hash of password
function generateMD5Hash($password) {
return md5($password);
}
// Function to check if the password needs encryption based on dbpass_encrypt value
function needsEncryption($db_password, $dbpass_encrypt) {
if ($dbpass_encrypt === "true") {
// Check if the password is already hashed
return !preg_match('/^[a-f0-9]{32}$/', $db_password);
}
return false;
}
// Function to encrypt password if needed and generate config.ini.php file
function generateConfigFile($db_password, $dbpass_encrypt) {
if (needsEncryption($db_password, $dbpass_encrypt)) {
$db_password = generateMD5Hash($db_password);
}
$config_content = "
[database]
dbpass=\"$db_password\"
dbpass_encrypt=\"$dbpass_encrypt\"
";
file_put_contents("config.ini.php", $config_content);
}
// Installation process
function install($dbpass_encrypt = "true") {
$db_password = ""; // Provide the unencrypted password here during installation
// Generate config.ini.php file with MD5 hashed password if specified
generateConfigFile($db_password, $dbpass_encrypt);
echo "Installation completed successfully.";
}
// Example installation with option to encrypt password
install("true"); // Pass "true" or "false" to encrypt the password or not
?>
Please Log in or Create an account to join the conversation.
- hermann
- Offline
- Elite Member
10 months 1 week ago #2
by hermann
Hermann
Designer of the custom module "Extended Family"
webtrees 2.1.21 (all custom modules installed, PHP 8.3.12, MariaDB 10.6) @ ahnen.hartenthaler.eu
Replied by hermann on topic Security issue (db data - pass) in config.ini.php - option to resolve
Why do you think that that is necessary? Normally you cannot read config.ini.php.
Hermann
Designer of the custom module "Extended Family"
webtrees 2.1.21 (all custom modules installed, PHP 8.3.12, MariaDB 10.6) @ ahnen.hartenthaler.eu
Please Log in or Create an account to join the conversation.
- webtreesFUN
- Topic Author
- Offline
- New Member
Less
More
- Posts: 92
10 months 1 week ago #3
by webtreesFUN
Replied by webtreesFUN on topic Security issue (db data - pass) in config.ini.php - option to resolve
It's good IT standard.
Sometimes you can lose acess to ftp account, or someone can get access to this data or other panel where ftp is managed, then system is prevented to export/stole data from data base as (mysql, postgree) or modify.
As I'm working around I noticed that due combining problems with pretty urls
www.webtrees.net/index.php/forum/help-fo...king-webtrees-2-1-18
..then I tested chmods, changed, finally I'm not sure where what should be..
But also some external addon can be not trusted and provide some data outside system.. with config.ini.php etc.
Soo we hove good reason to prevent many situation.
Also have vision for some page in panel as "CheckScurity", eg.
1. Check chmods around system
2. Require change pass for users, and confirmation that user changes
3. Setted 2 Factor mode
4. Capchta turned on/off in system
5. Crypted passwords for config.ini.php
6. Crypted backups (db and gedcom files)
www.webtrees.net/index.php/forum/9-reque...e-and-restore-module
7. etc..
Then we have score points about, and this checking can be done by crone, and if critical by some reason then mail to admin or very critical for all users.
Most of data leak is coz admin lost control.. eg. stolen access, hack, to server..
Eg. if on server is more apps or system, and exist reflection function like php or python more often then you can penetrate files around config, db pass word vars and.. hack this. Crypted value not helping hacker to broke db soo fast.
Sometimes you can lose acess to ftp account, or someone can get access to this data or other panel where ftp is managed, then system is prevented to export/stole data from data base as (mysql, postgree) or modify.
As I'm working around I noticed that due combining problems with pretty urls
www.webtrees.net/index.php/forum/help-fo...king-webtrees-2-1-18
..then I tested chmods, changed, finally I'm not sure where what should be..
But also some external addon can be not trusted and provide some data outside system.. with config.ini.php etc.
Soo we hove good reason to prevent many situation.
Also have vision for some page in panel as "CheckScurity", eg.
1. Check chmods around system
2. Require change pass for users, and confirmation that user changes
3. Setted 2 Factor mode
4. Capchta turned on/off in system
5. Crypted passwords for config.ini.php
6. Crypted backups (db and gedcom files)
www.webtrees.net/index.php/forum/9-reque...e-and-restore-module
7. etc..
Then we have score points about, and this checking can be done by crone, and if critical by some reason then mail to admin or very critical for all users.
Most of data leak is coz admin lost control.. eg. stolen access, hack, to server..
Eg. if on server is more apps or system, and exist reflection function like php or python more often then you can penetrate files around config, db pass word vars and.. hack this. Crypted value not helping hacker to broke db soo fast.
Please Log in or Create an account to join the conversation.
- fisharebest
- Offline
- Administrator
10 months 1 week ago #4
by fisharebest
Greg Roach - greg@subaqua.co.uk - @fisharebest@phpc.social - fisharebest.webtrees.net
Replied by fisharebest on topic Security issue (db data - pass) in config.ini.php - option to resolve
1) I am not aware of any application that does this. For example, WordPress, MediaWiki, etc. all store passwords unencrypted.
2) How do you store the encryption key? If an attacker can read the encrypted password, then they can probably also read the encryption key.
2) How do you store the encryption key? If an attacker can read the encrypted password, then they can probably also read the encryption key.
Greg Roach - greg@subaqua.co.uk - @fisharebest@phpc.social - fisharebest.webtrees.net
Please Log in or Create an account to join the conversation.
- webtreesFUN
- Topic Author
- Offline
- New Member
Less
More
- Posts: 92
10 months 1 week ago - 10 months 1 week ago #5
by webtreesFUN
Replied by webtreesFUN on topic Security issue (db data - pass) in config.ini.php - option to resolve
1. Maybe thats why often data leack around? : )
I know many..
2. Simple example, eg.
I'm more python ruby familiar and we doing this in way like:
I know many..
2. Simple example, eg.
Code:
htpasswd -c /usr/home/LOGIN/data_password.passwd USERNAME
I'm more python ruby familiar and we doing this in way like:
Code:
passwd = $pbkdf2-sha512$900000$Jdnsfnisufia393489HDYerwndwf
Code:
$hash_password = method_exists($crypt_context, 'hash') ? $crypt_context->hash : $crypt_context->encrypt;
$this->options['passwd'] = $hash_password($new_password);
Last edit: 10 months 1 week ago by webtreesFUN.
Please Log in or Create an account to join the conversation.
- webtreesFUN
- Topic Author
- Offline
- New Member
Less
More
- Posts: 92
10 months 1 week ago #6
by webtreesFUN
Replied by webtreesFUN on topic Security issue (db data - pass) in config.ini.php - option to resolve
Also plain password in DB around SMTP_AUTH_PASS is bad idea.
My suggestion is eg.
admin@webtress.net as e-mail for 1st user, admin, etc. communication but system@webtress.net to sent e-mail as alias for admin@webtress.net is user replaying then going to admin@webtress.net and ident is for system@webtress.net then with crypted pass still good privacy around admin@webtress.net and communication.
2 emails is problem if user want replay for system@webtress.net and no answer or no-replay and ether space..
Thats my comment..
My suggestion is eg.
admin@webtress.net as e-mail for 1st user, admin, etc. communication but system@webtress.net to sent e-mail as alias for admin@webtress.net is user replaying then going to admin@webtress.net and ident is for system@webtress.net then with crypted pass still good privacy around admin@webtress.net and communication.
2 emails is problem if user want replay for system@webtress.net and no answer or no-replay and ether space..
Thats my comment..
Please Log in or Create an account to join the conversation.