Skip to content

Commit

Permalink
Merge pull request #658 from adrlsx/feat/env-var-configuration
Browse files Browse the repository at this point in the history
Configuration via environment variables
  • Loading branch information
digininja authored Nov 7, 2024
2 parents 8728628 + 89054fa commit 1785671
Show file tree
Hide file tree
Showing 2 changed files with 67 additions and 50 deletions.
95 changes: 56 additions & 39 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ along with Damn Vulnerable Web Application (DVWA). If not, see <https://www.gnu
## Internationalisation

This file is available in multiple languages:

- Arabic: [العربية](README.ar.md)
- Chinese: [简体中文](README.zh.md)
- French: [Français](README.fr.md)
Expand All @@ -58,7 +59,7 @@ If you would like to contribute a translation, please submit a PR. Note though,

While there are various versions of DVWA around, the only supported version is the latest source from the official GitHub repository. You can either clone it from the repo:

```
```sh
git clone https://github.com/digininja/DVWA.git
```

Expand Down Expand Up @@ -87,23 +88,27 @@ An automated configuration script for DVWA on Debian-based machines, including K

This will download an install script written by [@IamCarron](https://github.com/IamCarron) and run it automatically. This would not be included here if we did not trust the author and the script as it was when we reviewed it, but there is always the chance of someone going rogue, and so if you don't feel safe running someone else's code without reviewing it yourself, follow the manual process and you can review it once downloaded.

```bash
```sh
sudo bash -c "$(curl --fail --show-error --silent --location https://raw.githubusercontent.com/IamCarron/DVWA-Script/main/Install-DVWA.sh)"
```

##### Manually Running the Script

1. **Download the script:**
```bash

```sh
wget https://raw.githubusercontent.com/IamCarron/DVWA-Script/main/Install-DVWA.sh
```

2. **Make the script executable:**
```bash

```sh
chmod +x Install-DVWA.sh
```

3. **Run the script as root:**
```bash

```sh
sudo ./Install-DVWA.sh
```

Expand Down Expand Up @@ -204,7 +209,7 @@ If you are using a Debian based Linux distribution, you will need to install the
I would recommend doing an update before this, just so you make sure you are going to get the latest version of everything.
```
```sh
apt update
apt install -y apache2 mariadb-server mariadb-client php php-mysqli php-gd libapache2-mod-php
```
Expand All @@ -223,11 +228,23 @@ On Windows, this can be a bit harder if you are hiding file extensions, if you a

[How to Make Windows Show File Extensions](https://www.howtogeek.com/205086/beginner-how-to-make-windows-show-file-extensions/)

### Config with environment variables

Instead of modifying the configuration file, you can also set most settings using environment variables. In a Docker or Kubernetes deployment, this allows you to modify the configuration without creating a new Docker image. You'll find the variables in the [config/config.inc.php.dist](config/config.inc.php.dist) file.

If you want to set the default security level to "low", simply add the following line to the [compose.yml](./compose.yml) file:

```yml
environment:
- DB_SERVER=db
- DEFAULT_SECURITY_LEVEL=low
```
### Database Setup
To set up the database, simply click on the `Setup DVWA` button in the main menu, then click on the `Create / Reset Database` button. This will create / reset the database for you with some data in.

If you receive an error while trying to create your database, make sure your database credentials are correct within `./config/config.inc.php`. *This differs from config.inc.php.dist, which is an example file.*
If you receive an error while trying to create your database, make sure your database credentials are correct within `./config/config.inc.php`. _This differs from config.inc.php.dist, which is an example file._

The variables are set to the following by default:

Expand Down Expand Up @@ -273,19 +290,19 @@ In this state, you can access all the features without needing to log in and set

### Folder Permissions

* `./hackable/uploads/` - Needs to be writeable by the web service (for File Upload).
- `./hackable/uploads/` - Needs to be writeable by the web service (for File Upload).

### PHP configuration

On Linux systems, likely found in `/etc/php/x.x/fpm/php.ini` or `/etc/php/x.x/apache2/php.ini`.

* To allow Remote File Inclusions (RFI):
* `allow_url_include = on` [[allow_url_include](https://secure.php.net/manual/en/filesystem.configuration.php#ini.allow-url-include)]
* `allow_url_fopen = on` [[allow_url_fopen](https://secure.php.net/manual/en/filesystem.configuration.php#ini.allow-url-fopen)]
- To allow Remote File Inclusions (RFI):
- `allow_url_include = on` [[allow_url_include](https://secure.php.net/manual/en/filesystem.configuration.php#ini.allow-url-include)]
- `allow_url_fopen = on` [[allow_url_fopen](https://secure.php.net/manual/en/filesystem.configuration.php#ini.allow-url-fopen)]

* To make sure PHP shows all error messages:
* `display_errors = on` [[display_errors](https://secure.php.net/manual/en/errorfunc.configuration.php#ini.display-errors)]
* `display_startup_errors = on` [[display_startup_errors](https://secure.php.net/manual/en/errorfunc.configuration.php#ini.display-startup-errors)]
- To make sure PHP shows all error messages:
- `display_errors = on` [[display_errors](https://secure.php.net/manual/en/errorfunc.configuration.php#ini.display-errors)]
- `display_startup_errors = on` [[display_startup_errors](https://secure.php.net/manual/en/errorfunc.configuration.php#ini.display-startup-errors)]

Make sure you restart the php service or Apache after making the changes.

Expand All @@ -297,8 +314,8 @@ Generated a pair of API keys from <https://www.google.com/recaptcha/admin/create

These then go in the following sections of `./config/config.inc.php`:

* `$_DVWA[ 'recaptcha_public_key' ]`
* `$_DVWA[ 'recaptcha_private_key' ]`
- `$_DVWA[ 'recaptcha_public_key' ]`
- `$_DVWA[ 'recaptcha_private_key' ]`

### Default Credentials

Expand All @@ -308,7 +325,7 @@ These then go in the following sections of `./config/config.inc.php`:

_...can easily be brute forced ;)_

Login URL: http://127.0.0.1/login.php
Login URL: <http://127.0.0.1/login.php>

_Note: This will be different if you installed DVWA into a different directory._

Expand All @@ -333,14 +350,14 @@ Logs can also be accessed from the terminal.
1. Open a terminal and change its working directory to DVWA
2. Show the merged logs

```shell
```sh
docker compose logs
```

In case you want to export the logs to a file, e.g. `dvwa.log`

```shell
docker compose logs >dvwa.log
```sh
docker compose logs > dvwa.log
```

#### I want to run DVWA on a different port
Expand Down Expand Up @@ -388,7 +405,7 @@ On Linux systems Apache generates two log files by default, `access.log` and `er

When submitting error reports, problems, anything like that, please include at least the last five lines from each of these files. On Debian based systems you can get these like this:

```
```sh
tail -n 5 /var/log/apache2/access.log /var/log/apache2/error.log
```

Expand All @@ -414,15 +431,15 @@ So after setup, if you try to visit the site and get a `404`, think about where

If you see the following when running the setup script it means the username or password in the config file do not match those configured on the database:

```
```mariadb
Database Error #1045: Access denied for user 'notdvwa'@'localhost' (using password: YES).
```

The error is telling you that you are using the username `notdvwa`.

The following error says you have pointed the config file at the wrong database.

```
```mariadb
SQL: Access denied for user 'dvwa'@'localhost' to database 'notdvwa'
```

Expand All @@ -432,15 +449,15 @@ The first thing to do is to double check what you think you put in the config fi

If it matches what you expect, the next thing to do is to check you can log in as the user on the command line. Assuming you have a database user of `dvwa` and a password of `p@ssw0rd`, run the following command:

```
```sh
mysql -u dvwa -pp@ssw0rd -D dvwa
```

*Note: There is no space after the -p*
_Note: There is no space after the -p_

If you see the following, the password is correct:

```
```mariadb
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 14
Server version: 10.3.22-MariaDB-0ubuntu0.19.10.1 Ubuntu 19.10
Expand All @@ -456,19 +473,19 @@ As you can connect on the command line, it is likely something wrong in the conf

If you see the following, the username or password you are using is wrong. Repeat the [Database Setup](#database-setup) steps and make sure you use the same username and password throughout the process.

```
```mariadb
ERROR 1045 (28000): Access denied for user 'dvwa'@'localhost' (using password: YES)
```

If you get the following, the user credentials are correct but the user does not have access to the database. Again, repeat the setup steps and check the database name you are using.

```
```mariadb
ERROR 1044 (42000): Access denied for user 'dvwa'@'localhost' to database 'dvwa'
```

The final error you could get is this:

```
```mariadb
ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2)
```

Expand All @@ -482,35 +499,35 @@ sudo service mysql start

An error similar to this one:

```
```mariadb
Fatal error: Uncaught mysqli_sql_exception: Connection refused in /var/sites/dvwa/non-secure/htdocs/dvwa/includes/dvwaPage.inc.php:535
```

Means your database server is not running or you've got the wrong IP address in the config file.

Check this line in the config file to see where the database server is expected to be:

```
```php
$_DVWA[ 'db_server' ] = '127.0.0.1';
```

Then go to this server and check that it is running. In Linux this can be done with:

```
```sh
systemctl status mariadb.service
```

And you are looking for something like this, the important bit is that it says `active (running)`.

```
```sh
● mariadb.service - MariaDB 10.5.19 database server
Loaded: loaded (/lib/systemd/system/mariadb.service; enabled; preset: enabled)
Active: active (running) since Thu 2024-03-14 16:04:25 GMT; 1 week 5 days ago
```

If it is not running, you can start it with:

```
```sh
sudo systemctl stop mariadb.service
```

Expand All @@ -522,7 +539,7 @@ In Windows, check the status in the XAMPP console.

With the most recent versions of MySQL, PHP can no longer talk to the database in its default configuration. If you try to run the setup script and get the following message it means you have configuration.

```
```mariadb
Database Error #2054: The server requested authentication method unknown to the client.
```

Expand Down Expand Up @@ -570,7 +587,7 @@ After all that, the setup process should now work as normal.

If you want more information see the following page: <https://www.php.net/manual/en/mysqli.requirements.php>.

### Database Error #2002: No such file or directory.
### Database Error #2002: No such file or directory

The database server is not running. In a Debian based distro this can be done with:

Expand All @@ -596,7 +613,7 @@ Apache may not have high enough privileges to run commands on the web server. If

You may be running into problems with SELinux. Either disable SELinux or run this command to allow the web server to talk to the database:

```
```sh
setsebool -P httpd_can_network_connect_db 1
```

Expand Down Expand Up @@ -635,7 +652,7 @@ I am not going to cover how to get SQLite3 working with PHP, but it should be a

To make the switch, simply edit the config file and add or edit these lines:

```
```php
$_DVWA["SQLI_DB"] = "sqlite";
$_DVWA["SQLITE_DB"] = "sqli.db";
```
Expand Down Expand Up @@ -675,4 +692,4 @@ The app has vulnerabilities, it is deliberate. Most are the well documented ones

Project Home: <https://github.com/digininja/DVWA>

*Created by the DVWA team*
_Created by the DVWA team_
22 changes: 11 additions & 11 deletions config/config.inc.php.dist
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
# Thanks to @digininja for the fix.

# Database management system to use
$DBMS = 'MySQL';
$DBMS = getenv('DBMS') ?: 'MySQL';
#$DBMS = 'PGSQL'; // Currently disabled

# Database variables
Expand All @@ -16,31 +16,31 @@ $DBMS = 'MySQL';
# See README.md for more information on this.
$_DVWA = array();
$_DVWA[ 'db_server' ] = getenv('DB_SERVER') ?: '127.0.0.1';
$_DVWA[ 'db_database' ] = 'dvwa';
$_DVWA[ 'db_user' ] = 'dvwa';
$_DVWA[ 'db_password' ] = 'p@ssw0rd';
$_DVWA[ 'db_port'] = '3306';
$_DVWA[ 'db_database' ] = getenv('DB_DATABASE') ?: 'dvwa';
$_DVWA[ 'db_user' ] = getenv('DB_USER') ?: 'dvwa';
$_DVWA[ 'db_password' ] = getenv('DB_PASSWORD') ?: 'p@ssw0rd';
$_DVWA[ 'db_port'] = getenv('DB_PORT') ?: '3306';

# ReCAPTCHA settings
# Used for the 'Insecure CAPTCHA' module
# You'll need to generate your own keys at: https://www.google.com/recaptcha/admin
$_DVWA[ 'recaptcha_public_key' ] = '';
$_DVWA[ 'recaptcha_private_key' ] = '';
$_DVWA[ 'recaptcha_public_key' ] = getenv('RECAPTCHA_PUBLIC_KEY') ?: '';
$_DVWA[ 'recaptcha_private_key' ] = getenv('RECAPTCHA_PRIVATE_KEY') ?: '';

# Default security level
# Default value for the security level with each session.
# The default is 'impossible'. You may wish to set this to either 'low', 'medium', 'high' or impossible'.
$_DVWA[ 'default_security_level' ] = 'impossible';
$_DVWA[ 'default_security_level' ] = getenv('DEFAULT_SECURITY_LEVEL') ?: 'impossible';

# Default locale
# Default locale for the help page shown with each session.
# The default is 'en'. You may wish to set this to either 'en' or 'zh'.
$_DVWA[ 'default_locale' ] = 'en';
$_DVWA[ 'default_locale' ] = getenv('DEFAULT_LOCALE') ?: 'en';

# Disable authentication
# Some tools don't like working with authentication and passing cookies around
# so this setting lets you turn off authentication.
$_DVWA[ 'disable_authentication' ] = false;
$_DVWA[ 'disable_authentication' ] = getenv('DISABLE_AUTHENTICATION') ?: false;

define ('MYSQL', 'mysql');
define ('SQLITE', 'sqlite');
Expand All @@ -49,7 +49,7 @@ define ('SQLITE', 'sqlite');
# Use this to switch the backend database used in the SQLi and Blind SQLi labs.
# This does not affect the backend for any other services, just these two labs.
# If you do not understand what this means, do not change it.
$_DVWA['SQLI_DB'] = MYSQL;
$_DVWA['SQLI_DB'] = getenv('SQLI_DB') ?: MYSQL;
#$_DVWA['SQLI_DB'] = SQLITE;
#$_DVWA['SQLITE_DB'] = 'sqli.db';

Expand Down

0 comments on commit 1785671

Please sign in to comment.