restrict php includes in a directory

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
ethanlifka
Forum Newbie
Posts: 5
Joined: Mon Aug 11, 2008 1:03 pm

restrict php includes in a directory

Post by ethanlifka »

I am trying to restrict php files from being included on a directory. I have a tmp directory and I don't want scripts to run inside of it. I can get to that part fine, but I am still able to include that file and it runs fine.

here is my structure

tmp/phpinfo.php
test.php

-contents of test.php
<?php
include('tmp/phpinfo.php');
?>

I would like it to fail or 403 error or something, but still allow for move_uploaded_file from tmp to another directory.

thanks ahead.
User avatar
ghurtado
Forum Contributor
Posts: 334
Joined: Wed Jul 23, 2008 12:19 pm

Re: restrict php includes in a directory

Post by ghurtado »

Take a look at safe mode:

http://us.php.net/features.safe-mode
ethanlifka
Forum Newbie
Posts: 5
Joined: Mon Aug 11, 2008 1:03 pm

Re: restrict php includes in a directory

Post by ethanlifka »

Sorry, but safe_mode doesn't help me. It will only help against different users and groups. I only want the tmp dir to hold files and transfer files, but I dont want the files to execute or be read by any scripts. I can put directives into the dir to restrict the scripts from running, but I can't figure out how to prevent someone executing it by using the php include();

It seems that even though I disable php and cgi scripts in the tmp dir an outside php script can read it and then execute it out side of the tmp directory by using include() or require(). This is what I am trying to prevent.

Any thoughts
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: restrict php includes in a directory

Post by Mordred »

What are you trying to achieve? Why do you want this? Is it related to file uploads handling? Generally files in the tmp folder (before being moved) have random (i.e. unpredictable) names, so there is little danger from LFI.
ethanlifka
Forum Newbie
Posts: 5
Joined: Mon Aug 11, 2008 1:03 pm

Re: restrict php includes in a directory

Post by ethanlifka »

thanks for the help Mordred.

I am trying to secure my server as best as I can. Even if the change is very mundane. My thinking is that someone could upload a php file in the tmp dir. Then have another page include the tmp file. ( I know this doesn't make much since. if they can create another page why can't they just run the script there ). There are many ways I can think that someone would do this. Maybe they have another account on my server ( I know that safe_mode and open_base_dir would help this ), maybe there might be some exploit that I don't know about that allows for them to hack in and run a cron, or just the script itself. I also like challenges even if they seem pointless. They might be handy down the road. I understand that this question may be solved in numerous ways, but I would still like to know the answer.

Is it possible to restrict files in a directory from being included or required, but still allow for them to be moved.
Geteburg
Forum Commoner
Posts: 25
Joined: Tue Aug 12, 2008 1:57 pm

Re: restrict php includes in a directory

Post by Geteburg »

If by /tmp you mean linux /tmp location, then you can add to fstab to not execute ANY code from that folder.
If you mean some random /tmp folder like /home/user/tmp, then kill PHP executing with the help of .htaccess for the dir you want.
Create .htaccess file and add this:

Code: Select all

RemoveType application/x-httpd-php php
AddType text/html php
Upload to folder where you want to disable PHP.
User avatar
ghurtado
Forum Contributor
Posts: 334
Joined: Wed Jul 23, 2008 12:19 pm

Re: restrict php includes in a directory

Post by ghurtado »

Geteburg,

Neither of those will work to prevent using include(). A PHP include file is not "executed" per se, it is just parsed and in effect "pasted" into the main running script, which is the one that is executed. The OP wanted a solution to restrict the directories that a a file can be include'd from, which is explained in the safe mode page on PHP.net, but he doesn't want to use safe mode for some reason, or hasn't read the page completely.
Geteburg
Forum Commoner
Posts: 25
Joined: Tue Aug 12, 2008 1:57 pm

Re: restrict php includes in a directory

Post by Geteburg »

Ah.. Missed the part where he says about users having account on his server.

Anyways, disabling PHP in tmp folder is very good thing to have! Actually, disabling executing any kind of scripts in /tmp folder is good! Other then that all i can say is that you disable some common functions (php.ini) that are known to be abused by script/hack wanna be kiddies and of course put the user into jail (non-php). ;)
More things can be done to secure server just not with PHP. :)

And yes, stay away from safe_mode.. Thank god that in 6 its going away.. :)
ethanlifka
Forum Newbie
Posts: 5
Joined: Mon Aug 11, 2008 1:03 pm

Re: restrict php includes in a directory

Post by ethanlifka »

Thanks ghurtado and Geteburg.

Yes I have restricted all scripts from running in my tmp folder and that works great, but ghurtado is right. It doesn't stop another script from including it and running it.

Yes safe_mode has "safe_mode_include_dir" which can allow to restrict includes to a specific directory. I have used open_basedir, but I refuse to use anything that will be canceled in the future "SAFE_MODE". So I am trying to find a way around that. Rather then specifying the only dir for includes I would like to specify directories to not allow inlcudes.

Thanks again.
User avatar
ghurtado
Forum Contributor
Posts: 334
Joined: Wed Jul 23, 2008 12:19 pm

Re: restrict php includes in a directory

Post by ghurtado »

I'm glad you got it worked out. Thank you for sharing the end result.
Post Reply