0

I've got a web page PHP script which runs p7zip on the server:

This passes a user supplied password for encrypting their uploaded files.

Secondly the password is then emailed via PHP to the recipient.

What are the possible locations the password could be stored?

I did a grep -r "Passw0rd" /var/log/* nothing found.

Nothing in bash history either.

Dist is opensuse.

Many thanks!

user127379
  • 473
  • 4
  • 11
  • are in your php script tempfiles involved? Possibly the password is shown in the process table for a short time. – Tim Haegele Feb 26 '13 at 11:52
  • I don't think so. I suppose I could grep everything from root? I'll have to build a test VM for this or try out of hours. – user127379 Feb 26 '13 at 12:00
  • Under NO CIRCUMSTANCES should you e-mail the password to anybody. Salt'em and hash'em, never ever mail them... – Deer Hunter Feb 26 '13 at 16:00

1 Answers1

2

As this is being passed on the command-line, it's going to be ephemerally stored in the /proc/ filesystem. Anyone who has a local account can get a list of the running processes and their command-line arguments. 

 cat /proc/[pid]/cmdline

Which gives you a string. An example:

 /usr/bin/Xorg:0-backgroundnone-logverbose7-auth/var/run/gdm/auth-for-gdm-yrx0zQ/database-nolistentcpvt7

Which translates to:

 /usr/bin/Xorg:0 -background none -logverbose 7 -auth /var/run/gdm/auth-for-gdm-yrx0zQ/database -nolistentcp vt7

The cmdline pseudofile is world-readable, though it is only present when the process is actually running. These are visible in top after pressing the c key.

Some programs do manipulate that string so it isn't representative of what's actually running, though I don't know if php is one that allows such things.

sysadmin1138
  • 133,124
  • 18
  • 176
  • 300