Posted: 2013-10-31 21:00:29
WampDeveloper is secured and ready for production deployment out-of-the-box.
There are just a couple of things to be aware of…
While MySQL can only be access directly from the local system (it’s bound to 127.0.0.1), it can be accessed indirectly via any phpMyAdmin URL –
The indirect access is currently secured this way:
$cfg['Servers'][$i]['AllowDeny']['order'] = 'deny,allow'; $cfg['Servers'][$i]['AllowDeny']['rules'] = array( // deny everyone by default 'deny % from all', // allow all users from the local system 'allow % from localhost', 'allow % from 127.0.0.1', 'allow % from ::1', // allow all users from the server IP (commented out) // 'allow % from SERVER_ADDRESS', // allow user root from local system 'allow root from localhost', 'allow root from 127.0.0.1', 'allow root from ::1', // allow user root from local network // note - WD v5.0 has this un-commented //'allow root from 10.0.0.0/8', //'allow root from 172.16.0.0/12', //'allow root from 192.168.0.0/16', //'allow root from fe80::/10', // IPv6 Link-local Addresses //'allow root from fc00::/7', // IPv6 Unique Local Addresses // add more usernames and their IP (or IP ranges) here - );
A) The user “root” has *no password set*, but this account is restricted and can *only* be accessed from the local system under WampDeveloper 5.1), and under WampDeveloper v5.0 from the local network also (as listed above). *If you do set the password for this account, do so for all root accounts (host: localhost, ::1, 127.0.0.1) and update file WampDeveloper.xml with the new password.
B) All other users are also either restricted to local access only, or just denied access all-together (as above). *To open this up, you have to edit the above file and set the proper permissions in the above code (example: ‘allow user-name-here from 127.0.0.1′).
C) There is sometimes 1 MySQL account called “Any” which does allow anyone that can get to MySQL to see (but not modify) the databases. You can safely delete this account if it exists.
Website statistics can be accessed by anyone from the local network.
(*substitute your domain name for www.example.com)
AllowAccessFromWebToFollowingIPAddresses="127.0.0.1 10.0.0.0-10.255.255.255 172.16.0.0-172.31.255.255 192.168.0.0-192.168.255.255"
Each publicy accessable directory that does not contain an index.html or index.php file, will default to displaying an “Index” (auto generated file + directory listing) of that location. To remove “Indexes”…
Add into each website’s top-level .htaccess file, line –
The C:\WampDeveloper\Resources folder contains templates that are used for each new website’s VH (HTTP and SSL) and .htaccess files when a website is created/added. You can edit these templates to meet your specifications.
disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
This will stop most of the exploits that would try to execute something on the system, without preventing normal scripts and webapps from working.
Website VirtualHost(s) –
<IfModule mod_php5.c> php_admin_value open_basedir "C:/WampDeveloper/Temp;C:/WampDeveloper/Websites/domain.name/webroot/" </IfModule>
This will restrict the locations that can be opened by PHP’s include(), require(), fopen() and other similar functions – to the website’s specific DocumentRoot folder and the general Temporary directory.
By using php_admin_value you are also preventing open_basedir from being reset via .htaccess files and at runtime via ini_set().
Note that using open_basedir comes at a cost –
1. You will not be able to modify php.ini’s “realpath_cache_size” value (modified for performance tuning).
2. “php_value” and “php_admin_value” can only be used under mod_php. These directives cannot be used under PHP-FCGI / mod_fcgi (will produce ‘500 Internal Server’ error).
3. “open_basedir” cannot be set under PHP-FCGI (mod_fcgi) per VirtualHost file. Under PHP-FCGI, php.ini has to be modified with a global-scope path that will be shared among all websites / VirtualHosts.