Prev: File encryption under PHP
Next: Apache rule/directive to stop serving PHP pages from /var/www/includes/ [SOLVED]
From: "Daevid Vincent" on 1 Apr 2010 22:07 (Sorry if this is a duplicate. I sent one earlier with "OT:" prefixing the subject line and I think this list software kills the message despite being proper netiquette. *sigh*) I have your basic web tree setup. developer(a)mypse:/var/www/dart2$ tree -d -I 'CVS' |-- UPDATES |-- ajax |-- images | |-- gui | `-- icons `-- includes |-- classes |-- css |-- functions | `-- xml |-- gui |-- js | |-- charts `-- pear |-- Auth |-- Benchmark |-- DB |-- Date |-- File |-- Spreadsheet `-- XML_RPC It's not ideal. I would normally have /includes/ in a directory outside the servable webroot directory, but for various reasons I won't go into, this is how it is. Now I have Apache configured to NOT allow directory browsing. I also have a index.html file in most all main directories to log attempts and also redirect back to the main site. What I don't know how to protect against is if someone were to KNOW the name of a .php file. Say I have /includes/foo.inc.php for example, someone can put that in their URL and apache will happily serve it up. :( Is there a directive to prevent this? I would think it should be doable since PHP reads the file directly off of disk via a command like this and isn't really served perse: require_once ROOTPATH.'/includes/functions/foo.inc.php'; Anyone? Anyone? Beuller? Beuller?
From: Robert Cummings on 1 Apr 2010 22:23
Daevid Vincent wrote: > (Sorry if this is a duplicate. I sent one earlier with "OT:" prefixing the > subject line and I think this list software kills the message despite being > proper netiquette. *sigh*) > > I have your basic web tree setup. > > developer(a)mypse:/var/www/dart2$ tree -d -I 'CVS' > |-- UPDATES > |-- ajax > |-- images > | |-- gui > | `-- icons > `-- includes > |-- classes > |-- css > |-- functions > | `-- xml > |-- gui > |-- js > | |-- charts > `-- pear > |-- Auth > |-- Benchmark > |-- DB > |-- Date > |-- File > |-- Spreadsheet > `-- XML_RPC > > It's not ideal. I would normally have /includes/ in a directory outside the > servable webroot directory, but for various reasons I won't go into, this > is how it is. > > Now I have Apache configured to NOT allow directory browsing. > > I also have a index.html file in most all main directories to log attempts > and also redirect back to the main site. > > What I don't know how to protect against is if someone were to KNOW the > name of a .php file. Say I have /includes/foo.inc.php for example, someone > can put that in their URL and apache will happily serve it up. :( > > Is there a directive to prevent this? > > I would think it should be doable since PHP reads the file directly off of > disk via a command like this and isn't really served perse: > > require_once ROOTPATH.'/includes/functions/foo.inc.php'; > > Anyone? Anyone? Beuller? Beuller? <LocationMatch "^/includes/"> Order allow,deny Deny from all </LocationMatch> Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP |