Announcement

Collapse
No announcement yet.

DB / DB users question (security)

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • DB / DB users question (security)

    Just curious about this and if my logic is wrong.

    I currently run a separate DB and a separate user for each of my databases (just paranoid).

    If somebody were to ever find an exploit in one of my scripts and could grab the DB login info would all my other DB's be safe? My thinking is that if they hacked a DB the others would be safe since they are different and have different users/logins.

    Only reason I ask is because I'm thinking about installing Wordpress on my main site. If for any reason an exploit was exposed and my WP was hacked I just want to make sure all my other DB's / scripts would be safe and remain untouched??

    Thanks in advance
    Bob- (pank)
    pankpages.com / http://twitter.com/_pank

  • #2
    They would be fine.

    The only way a hacker could obtain that info, is if they were to get access to your configuration files for the software you have installed (config.php in vBulletin, wp-config.php in Wordpress).
    Ryan Ashbrook - My Blog - My Twitter

    Comment


    • #3
      Originally posted by Ryan Ashbrook View Post
      They would be fine.

      The only way a hacker could obtain that info, is if they were to get access to your configuration files for the software you have installed (config.php in vBulletin, wp-config.php in Wordpress).
      Thanks Ryan
      My concern was if somebody was able to grab my config file somehow (let's say for WP). Since I use different DB's and different DB logins for each script while WP could be hacked would the others be safe?
      Bob- (pank)
      pankpages.com / http://twitter.com/_pank

      Comment


      • #4
        I have a different password for every database.
        Different usernames and passwords for everything.
        It's not being paranoid, it is just being cautious.
        Of course if someone gets your root or cPanel password, you are history.

        All my passwords are stored on two thumb drives that I keep with me.
        Last edited by steven s; Sat 18th Jul '09, 5:51pm. Reason: added
        ...steven
        www.318ti.org (vB3.8) | www.nccbmwcca.org (vB4.2)
        bmwcca.org/forum | m135i.net
        "I tried to clean this up but this thread is beyond redemption." - Steve Machol

        Comment


        • #5
          It should slow them down. But once someone is on your server, if they can see passwords you're pretty much SOL at this point.

          Comment


          • #6
            Originally posted by Zachery View Post
            It should slow them down. But once someone is on your server, if they can see passwords you're pretty much SOL at this point.
            So my thinking would be wrong then? I was thinking that if somebody hacked/got access to my WP config file via an exploit (not via FTP) they would only have access to that DB and that DB user. Since they would all be different I thought all my other DB's would be safe since they are different logins and different DB's??

            Yes, if they somehow got access to my FTP server (which they should not be able to do / 18 char login with all sorts of special char's) then they could easily find any and all DB logins.

            I thought by using different DB logins and actual DB's it would prevent this (unless they somehow got root access to the main public directory).
            Bob- (pank)
            pankpages.com / http://twitter.com/_pank

            Comment


            • #7
              Originally posted by 1996 328ti View Post
              I have a different password for every database.
              Different usernames and passwords for everything.
              It's not being paranoid, it is just being cautious.
              Of course if someone gets your root or cPanel password, you are history.

              All my passwords are stored on two thumb drives that I keep with me.
              Thanks I use really goofy login passwords with a lot of special characters so hopefully that helps.
              Bob- (pank)
              pankpages.com / http://twitter.com/_pank

              Comment


              • #8
                If they can somehow read your config for wordpress, what would stop them from finding your config.php file for vb?

                Comment


                • #9
                  Originally posted by Zachery View Post
                  If they can somehow read your config for wordpress, what would stop them from finding your config.php file for vb?
                  I would have thought so?? Totally different folder on the server. If they can read a WP config file via a DB dump due to an exploit how would they be able to access any other folders such as vB? Not to mention in vB I have a .htaccess file that only allows localhost access and a few IP's.

                  I'm not talking about them logging in via FTP, only some sort of exploit that allows them to screw with wordpress or do a dump of the WP database.
                  Bob- (pank)
                  pankpages.com / http://twitter.com/_pank

                  Comment


                  • #10
                    htaccess only stop the webserver from feeding files via http requests. If they do an include on the vb config, regardless of it being in another folder, this is a server side request. from here they could spit the information out easily. Once someone gains some level of server access, like the ability to edit templates which can contain php code, or a plugin system. Your defenses have gone almost to 0.

                    Comment


                    • #11
                      Zachery is correct, if they can access one folder, chances are they can access others
                      Dean Clatworthy - Web Developer/Designer

                      Comment


                      • #12
                        Originally posted by Dean C View Post
                        Zachery is correct, if they can access one folder, chances are they can access others
                        Which is kinda what I said...
                        Ryan Ashbrook - My Blog - My Twitter

                        Comment


                        • #13
                          suPHP can help prevent cross account access, but it can break some scripts.

                          Also look at mod_security and Suhosin.
                          What's Special About Ruby on Rails?

                          Comment


                          • #14
                            Thanks for the tips guys. I appreciate it... Looks like I'll just keep the main site static.
                            Bob- (pank)
                            pankpages.com / http://twitter.com/_pank

                            Comment


                            • #15
                              Originally posted by pank View Post
                              Thanks for the tips guys. I appreciate it... Looks like I'll just keep the main site static.
                              You could use wordpress locally and rengereate the content when you need it updated.

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X