Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

IonCube Encoding to encrypt local.xml
 
ShopGuy
Guru
 
Total Posts:  462
Joined:  2008-09-07
 

This is something I was thinking of today. If you have a separate web server and database setup, then you might want to use an encoder that will allow you to encrypt non-php files so that your database credentials are encrypted in case your web server is compromised

 
Magento Community Magento Community
Magento Community
Magento Community
 
samm
Jr. Member
 
Total Posts:  29
Joined:  2009-04-02
 

it doesn’t make a sense, because it is always possible to include encrypted file and dump all variables. If you still want to do this - then you need to hack code, which reads local.xml to put all values inside configuration reader, not the local.xml itself.

 
Magento Community Magento Community
Magento Community
Magento Community
 
ShopGuy
Guru
 
Total Posts:  462
Joined:  2008-09-07
 

The benefit of this is so that no one can read local.xml. The only way they could read local.xml is if they decrypted and decoded your project so they get the encryption keys. With this, if someone (someone who exploited another web site, a technician, etc) gains access to the file system they cannot get the password to the DB.

Does anyone see a downside to this?

 
Magento Community Magento Community
Magento Community
Magento Community
 
samm
Jr. Member
 
Total Posts:  29
Joined:  2009-04-02
 

if you exploited the server - you don’t need the key. Just run anything you want on it to display values. Also local.xml contain only mysql account information, so attacker still need possibility to control the host, it will give nothing if you just got it without ability to connect to MySQL server.

 
Magento Community Magento Community
Magento Community
Magento Community
 
ShopGuy
Guru
 
Total Posts:  462
Joined:  2008-09-07
 

I don’t see how they could run anything. From my understanding it is not like they can just create a “exploit.php” script and have access to the decrypt functions. First, they would have to find a way to make the encrypted code include their custom PHP file. And second, they would have to find a way to get their non-encoded PHP file to run. From my understanding IonCube/ ZendGuard have the ability to verify source code with digital signatures and to not include files that were not part of the encoded project.

So, they are back to decrypting and reverse engineering the code or spending the next million years trying to brute force the encrypted local.xml file. And, if they have access to the web server they can connect to mysql if they have the credentials because the web server must connect to mysql.

 
Magento Community Magento Community
Magento Community
Magento Community
 
mweather
Member
 
Total Posts:  33
Joined:  2007-08-31
 

They don’t need access to the decrypt functions. They don’t need to see the code itself to display the variables the encrypted script loads.

Ioncube does not protect variables from being exposed. So all the attacker needs is a way to load the encrypted file via an include and display the variables.

 
Magento Community Magento Community
Magento Community
Magento Community
 
ShopGuy
Guru
 
Total Posts:  462
Joined:  2008-09-07
 

mweather,

Can you explain how this would be accomplished so I can reproduce it? I have not been able to produce a way that someone who has access to the server can decrypt the file no can I find anyone who has been able to either.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Unirgy
Guru
 
Avatar
Total Posts:  478
Joined:  2007-09-07
 

ShopGuy: they will read the information the same way Magento would.

 
Magento Community Magento Community
Magento Community
Magento Community
 
ShopGuy
Guru
 
Total Posts:  462
Joined:  2008-09-07
 

I have not found a way that the information can be casually read. Currently, they may read the information with the following:

nano local.xml

With the method I described that would be impossible as they would be presented with an encrypted file.

Now, you might think they may be able to read it by appending the following to index.php

echo ioncube_read_file('app/etc/local.xml');

However, ioncube verifies a file has not been modified, so the program will not run and will output “Script corrupted”

So, you might think… I know, they could read it like so:

<?php

include ('index.php');

echo 
ioncube_read_file('app/etc/local.xml');
?>
But no, that will once again not display the file. So, the options they have left to them are to inspect the computers memory. This is by far more sophisticated than the current situation that can read your DB passwords with a simple, widely known command.
 
Magento Community Magento Community
Magento Community
Magento Community
 
ShopGuy
Guru
 
Total Posts:  462
Joined:  2008-09-07
 

The ioncube method that I am describing is not meant to protect against insecure code. It is instead meant to protect the database credentials from people who have access to your server. So, some cases that this protects you against:

1) You own a dedicated server and need to give a tech access to your server

2) You have employees that may need access to your servers to update software

3) You backup your server and your backup is not encrypted… If your backup server is compromised then your database might be too now (this just recently happened to webhostingtalk.com).

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top