WampServer

Have anyway to edit php files after basic auth out of localhost? (question about security).

Hi

Sorry I have no idea what you are asking.

Experimente usar o Google Tradutor para traduzir o português para o inglês

---------------------------------------------------------------------------------------------
(Windows 10 Pro 64bit) (Wampserver 3.3.4 64bit) Aestan Tray Menu 3.2.5.4
<Apache versions MULTIPE> <PHP versions MULTIPLE> <MySQL Versions MULTIPLE>
<MariaDB versions MULTIPLE> <phpMyAdmin versions MULTIPLE> <MySQL Workbench 8.0.23>
Read The Manuals Apache -- MySQL -- PHP -- phpMyAdmin
Get your Apache/MySQL/mariaDB/PHP ADDONs here from the WAMPServer alternate Repo
-X-X-X- Backup your databases regularly Here is How dont regret it later! Yes even when developing -X-X-X-

God, I knew my English was bad, but I could not imagine it that much! XD

Well, the question is this: if perhaps someone discovers the username and password (basic authorization) of my wampserver, could he create new php files or change existing ones to be able to steal information from a SQL database?

I think I was clear now, lol.

The answer is of course YES.

But in WAMPServers default (as installed state) none of the MYSQL user accounts can be accessed from any PC other than one running WAMPServer. Also no connection can be made to Apache from any PC other than the PC running WAMPServer.

If you change these settings, you do so at your own risk and it is assumed that you know what you are doing.

---------------------------------------------------------------------------------------------
(Windows 10 Pro 64bit) (Wampserver 3.3.4 64bit) Aestan Tray Menu 3.2.5.4
<Apache versions MULTIPE> <PHP versions MULTIPLE> <MySQL Versions MULTIPLE>
<MariaDB versions MULTIPLE> <phpMyAdmin versions MULTIPLE> <MySQL Workbench 8.0.23>
Read The Manuals Apache -- MySQL -- PHP -- phpMyAdmin
Get your Apache/MySQL/mariaDB/PHP ADDONs here from the WAMPServer alternate Repo
-X-X-X- Backup your databases regularly Here is How dont regret it later! Yes even when developing -X-X-X-

Got it. Thank you very much for the answer, but could you remedy another question?

The question sounds kind of silly, but it's really hard to find the answer.

What powers does the authenticated user have permission to access only to "www" folder? Can it edit the php files from the server remotely? Or can it only enter data via url for manipulation of the database as per the limitation of PHP files?

Hi,

The answer is NO.

All the parts provided in WAMPServer i.e. Apache, PHP, MYSQL. MariaDB are documented on the web, see my Signature for links to some of this documentation.

We provide these applications for you to use, or to learn how to use. Unfortunately we cannot provide training courses on the workings of all these parts, that is down to you to research for yourself.

HAPPY LEARNING

---------------------------------------------------------------------------------------------
(Windows 10 Pro 64bit) (Wampserver 3.3.4 64bit) Aestan Tray Menu 3.2.5.4
<Apache versions MULTIPE> <PHP versions MULTIPLE> <MySQL Versions MULTIPLE>
<MariaDB versions MULTIPLE> <phpMyAdmin versions MULTIPLE> <MySQL Workbench 8.0.23>
Read The Manuals Apache -- MySQL -- PHP -- phpMyAdmin
Get your Apache/MySQL/mariaDB/PHP ADDONs here from the WAMPServer alternate Repo
-X-X-X- Backup your databases regularly Here is How dont regret it later! Yes even when developing -X-X-X-

I'm confused ... You said no, but not what?

1. Can not an authenticated user remotely change files from the server?
2. Can not I answer another question?
3. Or, is it easy to find the answer to this question?

Sorry, at no time did I think of being instructed by someone from the forum. I also did not realize if I asked "how to do" something. I asked a simple question that I could not find in the documentation available online, for being so silly it is.

I'm sorry, if I was petulant, it really was not my intention.

Thanks for the help anyway, God bless you.

Hello.

I found the answer, maybe someone else has doubts.

In the forum "stackoverflow", a very friendly user did not blink in sharing their knowledge. Simply limit the file system access for the authenticated user to "read-only," and deny everything to the others. In this way, I will be sure that the files will never be changed except on localhost.

I'm new to the forum, but I apologize for the behavior of RiggsFolly. I believe that this is not the behavior of the majority of the forum. He must be very stressed ...

Hi,

RiggsFolly has responded to you in a "normal" way and it is you who should apologize for your own behavior somewhat displaced.

Wampserver 3.0.6 is delivered "out of the box" with access bans from outside your PC. Only the local user on this own PC can access the PHP files or databases.

It is up to you to read the Apache, PHP and MySQL documentation to find the information you need.

If you want to have total certainty that nobody will be able to access your files, the easiest way is to leave your PC off.

If you still make a derogatory reflection on RiggsFolly or whatever, your discussion will be completely removed without further warning.

---------------------------------------------------------------
Documentation Apache - Documentation PHP - Documentation MySQL - Wampserver install files & addons

Otomatic, you answered me completely complete, thank you!

I thought responding in capital letters was considered impolite anywhere in the world. God, I must be stressed.

Do not worry, I'll take back what I said: RiggsFolly, or whatever it is, is a very happy guy, full of life, who works responding very well in the forum, only being restricted to answer silly and meaningless questions of faces Crazy like me.

Please do not remove my question without warning, it may be useful for other forum users.

I think I now understand your question a little better.

if perhaps someone discovers the username and password (basic authorization) of my wampserver

Well if someone does gain access to the account you use on your PC i.e your userid and password then, yes they can do anything that your user account is allowed to do.

However, this is in no way a WAMPServer issue. This is to do with your own PC security, a totally different and unrelated issue.

I would also like to take this opertunity to remind you that WAMPServer is intended as a Developer tool and not a LIVE web server environment. It can be used as such, but only if you know enough to harden Apache against attacks of all natures. This should only be undertaken if you truely know what you are doing with Apache and its associated tooling.

Using WAMPServer, or any web server, as a LIVE webserver is also a very bad idea if you are hosting the server on a Desktop/Laptop PC. The limitations applied to a NON-Server Windows OS are such that there is a limit of 30 concurrent remote connection. This makes a non-server Windows OS almost completely useless unless you dont expect more than 4 or 5 users to ever want to access your site at any one time. So it can be used to allow a client to UAT your work for example, but not run as a high use LIVE webserver.

I am also a little worried by the answer you seem to think was a good one that you got from StackOverflow. If you limit the account to read only, then how are you going to amend/upgrade code on your site? How would you write to a file on your server, for example: write a SESSION file, uploaded an image, or create a PDF file or any of the other 1000 things a site may want to write to a disk system for its own use.

As WAMPServer has to run with higher privilages that a normal user in order to function i.e. Register services and Start and Stop services be careful limiting this account in any way.

---------------------------------------------------------------------------------------------
(Windows 10 Pro 64bit) (Wampserver 3.3.4 64bit) Aestan Tray Menu 3.2.5.4
<Apache versions MULTIPE> <PHP versions MULTIPLE> <MySQL Versions MULTIPLE>
<MariaDB versions MULTIPLE> <phpMyAdmin versions MULTIPLE> <MySQL Workbench 8.0.23>
Read The Manuals Apache -- MySQL -- PHP -- phpMyAdmin
Get your Apache/MySQL/mariaDB/PHP ADDONs here from the WAMPServer alternate Repo
-X-X-X- Backup your databases regularly Here is How dont regret it later! Yes even when developing -X-X-X-

Many thanks Riggs. You responded with dignity.

Excuse me for something. I just did not think my question sounded like a free class or something. It was an issue outside the server configuration technique. Maybe he was the translator.

Your response was so complete that I reiterate. Honestly, I'm sorry for something.

I'm on a private server project. It's all set up, it's been a long apprenticeship. As it is not open to the public, it will not have high demand, which is perfectly supported by a desktop. It will also not be attacked because it has not been disclosed. But you never know ... I am trying to cover all the gaps that I suppose exist.

The project does not require modification by the client. The server is static, but will have a subfolder with write permissions for the user to upload files. In other words, the root folder "www"(client side) will not have write permissions to avoid asp / php edits, but a subfolder will have, and it will keep the files that will be uploaded.

But the question remains, can a php file be created in this subfolder (client side) that exposes my server (In doubt, I denied the execution of php and cgi in this folder...)?

The doubt arose when I checked that the wampserver did not come with ftp server. So far so good, I could install the filezilla server, for example, if I needed it. I wondered: will it be possible for a client on the network to change existing ASP/PHP files, just like on an ordinary web server, without this being pre-programmed (like a file manager, for example)? I know that the common web server leaves a series of settings in asp or php to change, send or download files, but I did not find the information if there was a way to make changes directly from server AFTER authenticated user that has write permissions (specific hacker programs, maybe?). In other words, the basic nature of the server would be to serve information, so would any attempt non-pre-established to change/create asp/php in file system of server ("www" folder!) would be impossible by the very nature of the server (client side)?

Summarizing: (authenticated user + write permissions)client side = control of the server's file system as it does in a file manager? --> (only "www" folder, already established ordinary security settings!)

All this only appeared because I could not find a simple way to send the "www request" encryption credentials, in C #, from the client to the server. If they were encrypted (credentials), I would have less fear of having a username and password discovered by "sniffing". I limited in php the client-server communication through "if" flow release, and cryptographic password, but this did not prevent authentication from occurring unencrypted. Thus, if it is not possible for an authenticated user to manipulate the server's file system (www folder) to create or modify php files, I do not have to worry about stealing the user name or password (minor security detail), since The crucial information would be in database only accessible via php through mySQL request. I have no problems with mySQL injection because the data is encrypted and not would be pass for the code.

I do not know if I made myself clear, I have reviewed this text several times trying to improve my English. I did not find that answer anywhere, maybe for the answer to be obvious (no). But I'd like to be sure of that. Denying write permissions to the user would solve the security problem, but would not answer the theoretical question, which I did not find anywhere (not even on Wikipedia).



Edited 24 time(s). Last edit at 03/13/2017 04:17PM by Makoto.

Again I am afraid.

You are talking about securing your FILE SERVER and not your WEB SERVER. Even if the WEB SERVER runs from the FILE SERVER it is not a WAMPServer or APache or web server issue.

---------------------------------------------------------------------------------------------
(Windows 10 Pro 64bit) (Wampserver 3.3.4 64bit) Aestan Tray Menu 3.2.5.4
<Apache versions MULTIPE> <PHP versions MULTIPLE> <MySQL Versions MULTIPLE>
<MariaDB versions MULTIPLE> <phpMyAdmin versions MULTIPLE> <MySQL Workbench 8.0.23>
Read The Manuals Apache -- MySQL -- PHP -- phpMyAdmin
Get your Apache/MySQL/mariaDB/PHP ADDONs here from the WAMPServer alternate Repo
-X-X-X- Backup your databases regularly Here is How dont regret it later! Yes even when developing -X-X-X-

No problem Riggs.

I was as clear as I could, you may be right, but I still believe it to be a theoretical matter as to the nature of a server.

Certainly not a specific WampServer issue, but it is contained. I do not have the answer but I will simply avoid the results.

Unless someone else wants to throw a light, you can close the topic.

Thank you, God bless you.