Page 1 of 1

chmod question

Posted: Fri Sep 25, 2009 8:46 pm
by rhecker
I want to secure the folder on my site that contains my php includes. one of the inc files contains the log-in for the database. Currently, if someone knows the actual file name, they can display it in a browser. If I set chmod to 700, then some features on the site stop working. Can I use chmod for this purpose, or is there a better way to secure these files?

Thanks for any suggestions.

Re: chmod question

Posted: Sat Sep 26, 2009 12:46 am
by Robert07
To avoid letting someone pull a file directly from your server, you can add the following code to the top (if your db.php file is named differently then change the condition accordingly):

Code: Select all

 
// *** Make sure the file isn't accessed directly
if(stripos($_SERVER['SCRIPT_FILENAME'],"db.php")!==false) {
    //Give out an "access denied" error
    echo "access denied";
    //Block all other code
    exit();
}
 

Re: chmod question

Posted: Sat Sep 26, 2009 12:48 am
by Eran
The best way would be to put the included scripts outside of the document root where they are not accessible directly.

Re: chmod question

Posted: Fri Oct 02, 2009 10:11 am
by rhecker
Thanks for the responses. The stripos solution is interesting but did not work for me. Putting the file outside the root would simply be a little inconvenient for me as it is a file I edit VERY often. It works best for me to use FTP access to the site subdirectory while working on the site files.

I read of a solution I like in the security chapter of "Programming PHP" where one changes the Apache server as follows, but the book doesn't tell where to put the code snippet, and I wonder if I can make this change in a shared hosting environment. Any thoughts?

Code: Select all

<Files ~ "\.inc$">
Order allow, deny
Deny from all
</Files>

Re: chmod question

Posted: Fri Oct 02, 2009 10:13 am
by s.dot
Why is it viewable in a browser?

If you have php variables, nobody will know what they are.

eg. sample db.php

Code: Select all

<?php
 
$dbh = mysql_connect('localhost', 'username', 'password');
mysql_select_db('mydatabase', $dbh);
If I were to pull up mydomain.com/inc/db.php using that code only a blank page would be shown.

Re: chmod question

Posted: Fri Oct 02, 2009 10:50 am
by rhecker
Why is it viewable in a browser?

Because if someone actually types the url to the file, it will be viewable. I've tried it myself and inded, the code is viewable.

Normally no one would know the name and location of the file, but if they did, it would show. I did not consider this a security risk, but I am now collaborating with someone who believes it would be best to make it impossible for anyone to directly view the include file.

Re: chmod question

Posted: Fri Oct 02, 2009 3:39 pm
by matthijs
The misunderstanding here is that you have named your includes .inc
If you would name them somefile.inc.php the source will not be shown when someone visits the file.

As pytrin suggested, best is top place them outside doc root. Second best is to deny acces to the directory the files are in. After that rely on the fact that the source of php files is not shown

Re: chmod question

Posted: Sat Oct 03, 2009 2:54 am
by kaisellgren
Robert07 wrote:To avoid letting someone pull a file directly from your server, you can add the following code to the top (if your db.php file is named differently then change the condition accordingly):

Code: Select all

 
// *** Make sure the file isn't accessed directly
if(stripos($_SERVER['SCRIPT_FILENAME'],"db.php")!==false) {
    //Give out an "access denied" error
    echo "access denied";
    //Block all other code
    exit();
}
 
Depending on the configuration, the file could be accessed through db%2ephp or via other encoding schemes.
rhecker wrote:Normally no one would know the name and location of the file, but if they did, it would show. I did not consider this a security risk,
It is a risk and as already noted, you are better off placing the files outside doc root.

Re: chmod question

Posted: Sat Oct 03, 2009 5:19 pm
by rhecker
OK, so I'm convinced. I will put the file above the root

But how do I call a file above the root?

I tried the following, but it doesn't work:

Code: Select all

$path = "http://".$_SERVER ['SERVER_ADDR'];
include ($path . "/myfile.php");
I get a message "Page not found". Am I doing this wrong?

Re: chmod question

Posted: Sun Oct 04, 2009 1:22 am
by Robert07
Depending on the configuration, the file could be accessed through db%2ephp or via other encoding schemes.
Good point, the example I pulled from actually was checking to make sure the filename was index.php, but that was a site where everything was included from the index page so it made sense. In my effort to make the example generic it lost it's usefulness...

Re: chmod question

Posted: Sun Oct 04, 2009 2:36 am
by kaisellgren
rhecker wrote:I tried the following, but it doesn't work:

Code: Select all

$path = "http://".$_SERVER ['SERVER_ADDR'];
include ($path . "/myfile.php");
I get a message "Page not found". Am I doing this wrong?
Don't include URIs. See viewtopic.php?f=34&t=106984