configuration.php contains mysql root password in plain text

Need help with the Administration of your Joomla! 1.5 site? This is the spot for you.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
scourtney
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Mon Feb 18, 2008 11:36 pm

configuration.php contains mysql root password in plain text

Post by scourtney » Mon Feb 18, 2008 11:59 pm

When checking the configuration.php file created by installation I found that the Joomla administrator's password is encrypted, but the root account for mysql is in plain text. Changing the file permissions to 640 or removing plain text password both break the functionality of the page. Since we host several sites on our server I would much prefer the individual site be compromised than someone gaining full access to my database. As I am still novice in php how can I go about encrypting the password in the configuration file for the mysql database?

Shane

 
User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14970
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: configuration.php contains mysql root password in plain text

Post by mandville » Tue Feb 19, 2008 2:41 am

if the file is permissioned at 644 then it should be safe(ish) , or move it outside your pblic _html folder and adjust the inlcude config.php reference.

do a forum search for move config.php
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

scourtney
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Mon Feb 18, 2008 11:36 pm

Re: configuration.php contains mysql root password in plain text

Post by scourtney » Tue Feb 19, 2008 4:02 pm

Thanks a lot for the quick reply, you got me pointed to the security check list. Moved the config.php detailed there, but seems I need to investigate further as I still don't like fact of having passwords stored in plain text. Thanks again.

locutus
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 111
Joined: Thu Aug 18, 2005 6:43 pm

Re: configuration.php contains mysql root password in plain text

Post by locutus » Wed Feb 20, 2008 7:36 am

Never, never use your root mysql password for a live site. Create a separate user for your Joomla install.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14970
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: configuration.php contains mysql root password in plain text

Post by mandville » Wed Feb 20, 2008 10:45 am

I think that there has been some mix in terminology unless scourtney means the database sql password.
usually in the format account_username
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

locutus
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 111
Joined: Thu Aug 18, 2005 6:43 pm

Re: configuration.php contains mysql root password in plain text

Post by locutus » Wed Feb 20, 2008 12:15 pm

I am refering to this sentence in the first post:
scourtney wrote:When checking the configuration.php file created by installation I found that the Joomla administrator's password is encrypted, but the root account for mysql is in plain text.
And even if you move configuration.php, using your root password is an unnessary risk for your server.

igrimpe
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 234
Joined: Wed Feb 20, 2008 8:59 am

Re: configuration.php contains mysql root password in plain text

Post by igrimpe » Wed Feb 20, 2008 1:18 pm

I still don't like fact of having passwords
There is no way to avoid this for the MySQL password.
The Joomla's admin "password" is not stored "encrypted" as you assume, but instead it's "hashed".
Admin enters password, password is hashed, compared to saved hash -> bingo or "go away"
Since the php script must do the same against the MySQL server, the script has to supply the password. The server will surely hash this pwd and then compare to the stored pwd. So no way to avoid a "plain text" mySQL pwd.
IF the pwd would be stored "encrypted", the php script would need to decrypt it first before it could be used against the MySQL server. Since Joomla is open source, everybody would know the decryption function (which requires a password/key too which has to be stored somewhere) and could decrypt it anyway.

As said: Set your permissions correctly and create a separate MySQL user which needs many rights but not ALL like "root".

Grumpster
Joomla! Apprentice
Joomla! Apprentice
Posts: 15
Joined: Wed Jun 21, 2006 9:06 pm

Re: configuration.php contains mysql root password in plain text

Post by Grumpster » Wed Jul 23, 2008 3:46 pm

igrimpe wrote: As said: Set your permissions correctly and create a separate MySQL user which needs many rights but not ALL like "root".
And those, specifically, would be ... ?

I've searched this forum and the Documentation Wiki, but can find nothing on specific permissions to grant to the Joomla database user.

So far, I've just been granting "ALL" privileges ... probably not good, right?

User avatar
ircmaxell
Joomla! Ace
Joomla! Ace
Posts: 1926
Joined: Thu Nov 10, 2005 3:10 am
Location: New Jersey, USA
Contact:

Re: configuration.php contains mysql root password in plain text

Post by ircmaxell » Wed Jul 23, 2008 10:56 pm

Grumpster wrote:
igrimpe wrote: As said: Set your permissions correctly and create a separate MySQL user which needs many rights but not ALL like "root".
And those, specifically, would be ... ?

I've searched this forum and the Documentation Wiki, but can find nothing on specific permissions to grant to the Joomla database user.

So far, I've just been granting "ALL" privileges ... probably not good, right?
The only privledges needed are:
create
drop
alter
delete
index
insert
select
update


I'm pretty sure that'll work with the core, and 99% of 3pd apps...
Anthony Ferrara - Core Team - Development Coordinator - Bug Squad - JSST

http://moovum.com/ - The Bird is in the air! Get Mollom Anti-Spam on your Joomla! website with Moovur...
http://www.joomlaperformance.com For All Your Joomla Performance Needs

User avatar
brad
Joomla! Master
Joomla! Master
Posts: 13419
Joined: Fri Aug 12, 2005 12:38 am
Location: Sydney - Australia
Contact:

Re: configuration.php contains mysql root password in plain text

Post by brad » Wed Jul 23, 2008 10:58 pm

In a proper secured hosting environment, especially running suphp only your user will be able to read/write to this configuration.php file anyway.

Keep Joomla up to date and secure, use a good host, take backups, and you should not need to be overly paranoid.
Brad Baker
https://xyzulu.hosting
https://www.joomlatutorials.com <-- Joomla Help & Tutorials

Loggy
Joomla! Apprentice
Joomla! Apprentice
Posts: 12
Joined: Mon May 14, 2007 4:50 pm

Re: configuration.php contains mysql root password in plain

Post by Loggy » Mon Mar 07, 2011 3:21 pm

This is a bit of a cold thread but ircmaxell wrote
So far, I've just been granting "ALL" privileges ... probably not good, right?

The only privileges needed are:
create
drop
alter
delete
index
insert
select
update


I'm pretty sure that'll work with the core, and 99% of 3pd apps...
I was wondering the same thing. You certainly don't want to allow GRANT access and there are quite a lot of other accesses that should be disallowed. I started with the list above in J1.6 but discovered that LOCK TABLES is also required. I also included CREATE TEMPORARY TABLES for good measure.

Any advance of these?

User avatar
sonfisher
Joomla! Apprentice
Joomla! Apprentice
Posts: 13
Joined: Mon Apr 13, 2009 9:25 pm
Location: Arizona, USA
Contact:

Re: configuration.php contains mysql root password in plain

Post by sonfisher » Wed Jun 01, 2011 4:16 pm

If I understand the above dialog correctly, there seems to be a mismatch between the vars that are hashed or not.

Please correct me if I am wrong but from the configuration.php file, isn't the $password var used as the Joomla superadmin password and the $secret var is used as the MySQL admin hashed password?
www.SonFisher.com
Phoenix, AZ

 

Locked

Return to “Administration 1.5”