php includes, and other files, above wwwroot

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
SGC
Forum Newbie
Posts: 4
Joined: Sun Nov 21, 2010 8:29 pm

php includes, and other files, above wwwroot

Post by SGC »

I learned, as best practice, to stick my secure includes,scripts, and anything I don't want the public to have URL access to, in folders above the wwwroot.

Example: website.com/index.htm is under /root/htdoc/index.htm and an include folder might be /root/hiddenstuff/.

Anything under htdoc is accessible by the public, anything under hiddenstuff is only accessible by server scripts/root user.

Unfortunately, my current host (fatcow using apache/php5) doesn't allow this file structure. What I have access to looks like
site_root/
and
site_root/cgi-bin/
...no access to the folder above site_root (and yes I contacted the host to verify this.)

My question: Is there some way to mimic the functionality I am used to (maybe via htaccess?) I'd like to force all requests to site_root/ down a level to a new directory: site_root/ -> site_root/fake_htdoc/. If I can do this I might be able to fake an above wwwroot directory. Unfortunately, my htaccess/php skills are a bit rusty and I'm running out of ideas. Suggestions?
User avatar
Zyxist
Forum Contributor
Posts: 104
Joined: Sun Jan 14, 2007 10:44 am
Location: Cracow, Poland

Re: php includes, and other files, above wwwroot

Post by Zyxist »

Unfortunately you can't do that from PHP level. It's a HTTP server issue. Although you can protect scripts by adding a detection whether they are included or called directly, but you won't protect in this way other files (i.e. configuration). Personally, I would keep writing to the host asking for reconfiguring your account, because such providers should be buried to the ground.
SGC
Forum Newbie
Posts: 4
Joined: Sun Nov 21, 2010 8:29 pm

Re: php includes, and other files, above wwwroot

Post by SGC »

Well, I was able to manage a, mostly viable, work around with an .htaccess rewrite that forces everyone out of a directory (sort of a faked sub-root). But you are right, servers should not... EVER... be configured this way. It is, in fact, the first time I'd come across it and I will most likely not be using them for future projects.
jarofgreen
Forum Commoner
Posts: 71
Joined: Sun Jul 11, 2010 12:40 pm

Re: php includes, and other files, above wwwroot

Post by jarofgreen »

Simpler: Stick all your private files in one folder, .htaccess in it says "Deny from all". Job done.
(Test this with an image file to make sure your server config allows this)
User avatar
greyhoundcode
Forum Regular
Posts: 613
Joined: Mon Feb 11, 2008 4:22 am

Re: php includes, and other files, above wwwroot

Post by greyhoundcode »

I appreciate this isn't quite what you are after (just an idea to bear in mind) but as a security measure it is not uncommon to test for a constant and exit if it does not exist. So if you have a script you don't want to be accessed directly you could add something like this as the first line of code:

Code: Select all

// Of course you will need to define the constant before calling ...
defined('APPLICATION_CONSTANT') or die('Unauthorised access');
Post Reply