I’m usually very careful with passwords and other sensative information on my websites, some could say overly cautious even… For most scripts I write, I prefer having the configuration files either opened and parsed by the file system so they can be outside of the public_html directory, or within a subdirectory which can be included, but which I can still use .htaccess to protect from web visitors.

Even though the file contains a .php extension and the code contents cannot (theoretically) be viewed by web visitors as it should be parsed by the php engine rather than displayed as text. However, with most scripts provided by others, you don’t have much choice in the configuration file location or other such details and are left to the mercy of the programmers to have built in some form of security and common sense, such as not naming the file config.txt in the public root directory and containing a plain-text password.

The rest is up to you… Examine how the configuration file is handled and explore possible ways to get to the information inside it without providing any authentication. (for example, it’s ovbious that having a config.txt file in your public root directory can easily be viewed by anyone on the web simply by entering yourdomain.com/config.txt) You should try to determine if it’s possible to protect it further by restricting access to the directory it’s in via .htaccess or even a single rewrite match for that filename…

RewriteRule ^/config.file.php$ http://%{HTTP_HOST}/ [R,L]

There are a lot of possibilities to circumvent rudamentary protections, and not all of them are as ovbious. One that was recently brought to my attention by this blog entry is backing up your website and leaving the compressed file accessable via the web. Not only could someone download the file, decompress it and browse through all your files (not just the configuration files with your passwords, but any other “hidden” files or information you have residing in your directory) but with new and useful services out there such as “google code” which will index compressed files (such as your config files with password inside of that backup you made) someone can now just do a search for your passwords making it easier than ever to obtain sensative information and exploit it, or you.

Another simple suggestion is to keep seperate passwords for more important things such as your bank accounts and email. If you use “yabadabadoo” as your password for everything and someone discovers it via some security flaw on your website, they could try it in other locations as well and do more damage. Don’t assume the person obtaining your password is a random hacker out to just have fun, it could be a coworker, stalker, or a so-called friend. This makes it even more dangerous because chances are they will know more about you such as your email address or which bank you use and thus will have a better starting point for trying your “yabadabadoo” password to get to more of your information.