Be careful with configuration files

Just about every program has some configuration or preference data it needs, and this data needs to be stored somewhere, it may be in the windows registry or a file but it’s saved somewhere and it is needed for the program to function correctly.

Most of this data is completely harmless and contain things like the window location on screen, other is somewhat risky like the recently used file list (do you want your employer to accidently discover you are working on your resume?)

But some of this configuration data is outright dangerous – passwords and secret encryption keys are the most obvious examples (scary fact: every program that connects to a remote service without asking for password every single time has something saved on your computer that can be copied and used by anyone to access the service in under your name).

All those configuration need to be somewhere and even need to be backed up like the rest of the data on your computer – but you have to know exactly where all those live so you can take the necessary precautions to protect them.

Here is an example of what happens when you forget this – I have a program that I use to update all my web sites and web applications, this program let me set everything up on a test server and copy it over in one go when I want the changes to go live, this program is a great timesaver.

In order to work this program needs the password for the production server (otherwise it couldn’t log in to upload the files) the password is saved in a small configuration file.

In order to have a backup of this file I just placed it in the web site folder and let the program copy it over to the production server.

So, by forgetting the innocent looking config file is dangerous I’ve accidently place all the data some evil attacker needs to completely take over my server in a file that is accessible over the web!

In this story nothing bad happened, I was the first to discover this and I immediately removed the files and as a precaution also set my server to never allow web access to them – but this could have been really bad if someone else would have discovered this first.

Don’t let this happen to you – know what’s in your configuration files and where they are. 

posted @ Thursday, February 9, 2012 9:02 AM

Comments on this entry:

No comments posted yet.

Your comment:

 (will not be displayed)

Please add 8 and 1 and type the answer here: