Magento Forum

   
clear text database password in local.xml file
 
mmcds
Jr. Member
 
Total Posts:  7
Joined:  2009-12-17
 

We have security audits and we found that there is the database password in clear text format in the local.xml file.  We were surprised that this wasn’t encrypted.  This will not pass our security audits so we are wondering how to get around this issue to not show this clear text password or encrypt it somehow.  Thanks.

 
Magento Community Magento Community
Magento Community
Magento Community
 
edmondscommerce
Guru
 
Avatar
Total Posts:  342
Joined:  2008-08-26
 

it has to be stored somewhere

it could be encrypted but then where would we store the encryption key - its also stored in the local.xml file

is the problem that the file is inside the webroot?

see this wiki page:
http://www.magentocommerce.com/wiki/1_-_installation_and_configuration/how_to_move_local.xml_outside_the_doc_root

 
Magento Community Magento Community
Magento Community
Magento Community
 
ShopGuy
Guru
 
Total Posts:  462
Joined:  2008-09-07
 

They would have to have access to your server to get to local.xml. Once they have access to your server it is impossible to protect encrypted or not. At some point PHP will have to know the password and at that point they can just do a memory dump of PHP and they have it.

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
    Back to top