chmod question

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
rhecker
Forum Contributor
Posts: 178
Joined: Fri Jul 11, 2008 5:49 pm

chmod question

Post by rhecker »

I want to secure the folder on my site that contains my php includes. one of the inc files contains the log-in for the database. Currently, if someone knows the actual file name, they can display it in a browser. If I set chmod to 700, then some features on the site stop working. Can I use chmod for this purpose, or is there a better way to secure these files?

Thanks for any suggestions.
User avatar
Robert07
Forum Contributor
Posts: 113
Joined: Tue Jun 17, 2008 1:41 pm

Re: chmod question

Post by Robert07 »

To avoid letting someone pull a file directly from your server, you can add the following code to the top (if your db.php file is named differently then change the condition accordingly):

Code: Select all

 
// *** Make sure the file isn't accessed directly
if(stripos($_SERVER['SCRIPT_FILENAME'],"db.php")!==false) {
    //Give out an "access denied" error
    echo "access denied";
    //Block all other code
    exit();
}
 
User avatar
Eran
DevNet Master
Posts: 3549
Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME

Re: chmod question

Post by Eran »

The best way would be to put the included scripts outside of the document root where they are not accessible directly.
rhecker
Forum Contributor
Posts: 178
Joined: Fri Jul 11, 2008 5:49 pm

Re: chmod question

Post by rhecker »

Thanks for the responses. The stripos solution is interesting but did not work for me. Putting the file outside the root would simply be a little inconvenient for me as it is a file I edit VERY often. It works best for me to use FTP access to the site subdirectory while working on the site files.

I read of a solution I like in the security chapter of "Programming PHP" where one changes the Apache server as follows, but the book doesn't tell where to put the code snippet, and I wonder if I can make this change in a shared hosting environment. Any thoughts?

Code: Select all

<Files ~ "\.inc$">
Order allow, deny
Deny from all
</Files>
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Re: chmod question

Post by s.dot »

Why is it viewable in a browser?

If you have php variables, nobody will know what they are.

eg. sample db.php

Code: Select all

<?php
 
$dbh = mysql_connect('localhost', 'username', 'password');
mysql_select_db('mydatabase', $dbh);
If I were to pull up mydomain.com/inc/db.php using that code only a blank page would be shown.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
rhecker
Forum Contributor
Posts: 178
Joined: Fri Jul 11, 2008 5:49 pm

Re: chmod question

Post by rhecker »

Why is it viewable in a browser?

Because if someone actually types the url to the file, it will be viewable. I've tried it myself and inded, the code is viewable.

Normally no one would know the name and location of the file, but if they did, it would show. I did not consider this a security risk, but I am now collaborating with someone who believes it would be best to make it impossible for anyone to directly view the include file.
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Re: chmod question

Post by matthijs »

The misunderstanding here is that you have named your includes .inc
If you would name them somefile.inc.php the source will not be shown when someone visits the file.

As pytrin suggested, best is top place them outside doc root. Second best is to deny acces to the directory the files are in. After that rely on the fact that the source of php files is not shown
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: chmod question

Post by kaisellgren »

Robert07 wrote:To avoid letting someone pull a file directly from your server, you can add the following code to the top (if your db.php file is named differently then change the condition accordingly):

Code: Select all

 
// *** Make sure the file isn't accessed directly
if(stripos($_SERVER['SCRIPT_FILENAME'],"db.php")!==false) {
    //Give out an "access denied" error
    echo "access denied";
    //Block all other code
    exit();
}
 
Depending on the configuration, the file could be accessed through db%2ephp or via other encoding schemes.
rhecker wrote:Normally no one would know the name and location of the file, but if they did, it would show. I did not consider this a security risk,
It is a risk and as already noted, you are better off placing the files outside doc root.
rhecker
Forum Contributor
Posts: 178
Joined: Fri Jul 11, 2008 5:49 pm

Re: chmod question

Post by rhecker »

OK, so I'm convinced. I will put the file above the root

But how do I call a file above the root?

I tried the following, but it doesn't work:

Code: Select all

$path = "http://".$_SERVER ['SERVER_ADDR'];
include ($path . "/myfile.php");
I get a message "Page not found". Am I doing this wrong?
User avatar
Robert07
Forum Contributor
Posts: 113
Joined: Tue Jun 17, 2008 1:41 pm

Re: chmod question

Post by Robert07 »

Depending on the configuration, the file could be accessed through db%2ephp or via other encoding schemes.
Good point, the example I pulled from actually was checking to make sure the filename was index.php, but that was a site where everything was included from the index page so it made sense. In my effort to make the example generic it lost it's usefulness...
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: chmod question

Post by kaisellgren »

rhecker wrote:I tried the following, but it doesn't work:

Code: Select all

$path = "http://".$_SERVER ['SERVER_ADDR'];
include ($path . "/myfile.php");
I get a message "Page not found". Am I doing this wrong?
Don't include URIs. See viewtopic.php?f=34&t=106984
Post Reply