4

I am storing hashed passwords in a file called passwords.htaccess. When a user fills out a login form, the passwords are checked. I am getting the contents of passwords.htaccess with file_get_contents('passwords.htaccess');. Is there any way that someone else can read the contents of passwords.htaccess other than me and the login script?

I know that when a user tries to type in the file name directly they encounter a 403 forbidden error, but is there any way around the error using file_get_contents('http://www.mysite.com/passwords.htaccess') or some other method?

If so, are there any other ways I could protect users passwords?

DMVerfurth
  • 147
  • 3
  • 9

2 Answers2

2

(this should be a comment but its a bit long)

Can someone view the contents of my .htaccess file

We can't tell - it depends how your website is configured. You also don't specify what you mean by "anyone" - if this is running on a shared web host with other users then they may have access too. On a Unix system the root account will have access....

they encounter a 403 forbidden

Then there's something preventing people from accessing the file via the webserver. Possible protections which may be in place are....

  • location - the webserver will only serve up content from directory trees explicitly configured. In your example, the file appears to be in the same place as the code. Leaving aside a discussion of why this is a very bad idea, then whether that is relevant depends on whether you are running mod_php or php_fpm, and whether the script containing the snippet of code is an entry point for PHP execution or is included from another script.

  • filesystem permissions - with php-fpm its quite possible for the PHP to be running as a different uid than the webserver

  • specific configuration in your webserver - most provide a means for excluding access based on URL or file name (and often allow globs). Apache configs usually come with the config below which prevents any access to a file whose name begins with `.ht' but that is not applicable to "passwords.htaccess".

     <Files ~ "^\.ht">
 Order allow,deny
 Deny from all
 Satisfy All
 </Files>

(and that's before we consider any vulnerabilities in the site / platform)

So other than your empirical results, we have no basis to be able to answer your question. We can say that the protection method you have in place does not appear to be in any way portable.

symcbean
  • 18,278
  • 39
  • 73
  • I am using x10hosting for my site and I am not sure as to how my site is configured. I can tell you that my site is called (http://www.everyone.x10host.com) and my `password.htaccess` file is located in the `user_details` directory. To receive the 403 forbidden error you can go to (http://www.everyone.x10host.com/user_details/passwords.htaccess). – DMVerfurth Apr 20 '18 at 19:31
  • I also know that any `.htaccess` file on my site will give the `403 forbidden` error even if the specific `.htaccess` file does not exist, for example (http://www.everyone.x10host.com/file_does_not_exist.htaccess). – DMVerfurth Apr 20 '18 at 19:32
0

Password files should ALWAYS be stored outside the folder hierarchy for your website.

The reason is that, should the server or site be misconfigured at some point, files inside the site folder root will be visible. So nothing sensitive should EVER be put there.

You should put the file outside the site root folder.

It should go without saying that you must ensure that the passwords are securely hashed so that the actual password cannot be retrieved if the file is copied. This is because, although the first point above ensures the file will not be exposed by the web service, anyone with access to the server filing system (both admins and attackers) will likely be able to at least read the file contents.

Julian Knight
  • 7,092
  • 17
  • 23