restrict php includes in a directory
Moderator: General Moderators
-
ethanlifka
- Forum Newbie
- Posts: 5
- Joined: Mon Aug 11, 2008 1:03 pm
restrict php includes in a directory
I am trying to restrict php files from being included on a directory. I have a tmp directory and I don't want scripts to run inside of it. I can get to that part fine, but I am still able to include that file and it runs fine.
here is my structure
tmp/phpinfo.php
test.php
-contents of test.php
<?php
include('tmp/phpinfo.php');
?>
I would like it to fail or 403 error or something, but still allow for move_uploaded_file from tmp to another directory.
thanks ahead.
here is my structure
tmp/phpinfo.php
test.php
-contents of test.php
<?php
include('tmp/phpinfo.php');
?>
I would like it to fail or 403 error or something, but still allow for move_uploaded_file from tmp to another directory.
thanks ahead.
-
ethanlifka
- Forum Newbie
- Posts: 5
- Joined: Mon Aug 11, 2008 1:03 pm
Re: restrict php includes in a directory
Sorry, but safe_mode doesn't help me. It will only help against different users and groups. I only want the tmp dir to hold files and transfer files, but I dont want the files to execute or be read by any scripts. I can put directives into the dir to restrict the scripts from running, but I can't figure out how to prevent someone executing it by using the php include();
It seems that even though I disable php and cgi scripts in the tmp dir an outside php script can read it and then execute it out side of the tmp directory by using include() or require(). This is what I am trying to prevent.
Any thoughts
It seems that even though I disable php and cgi scripts in the tmp dir an outside php script can read it and then execute it out side of the tmp directory by using include() or require(). This is what I am trying to prevent.
Any thoughts
Re: restrict php includes in a directory
What are you trying to achieve? Why do you want this? Is it related to file uploads handling? Generally files in the tmp folder (before being moved) have random (i.e. unpredictable) names, so there is little danger from LFI.
-
ethanlifka
- Forum Newbie
- Posts: 5
- Joined: Mon Aug 11, 2008 1:03 pm
Re: restrict php includes in a directory
thanks for the help Mordred.
I am trying to secure my server as best as I can. Even if the change is very mundane. My thinking is that someone could upload a php file in the tmp dir. Then have another page include the tmp file. ( I know this doesn't make much since. if they can create another page why can't they just run the script there ). There are many ways I can think that someone would do this. Maybe they have another account on my server ( I know that safe_mode and open_base_dir would help this ), maybe there might be some exploit that I don't know about that allows for them to hack in and run a cron, or just the script itself. I also like challenges even if they seem pointless. They might be handy down the road. I understand that this question may be solved in numerous ways, but I would still like to know the answer.
Is it possible to restrict files in a directory from being included or required, but still allow for them to be moved.
I am trying to secure my server as best as I can. Even if the change is very mundane. My thinking is that someone could upload a php file in the tmp dir. Then have another page include the tmp file. ( I know this doesn't make much since. if they can create another page why can't they just run the script there ). There are many ways I can think that someone would do this. Maybe they have another account on my server ( I know that safe_mode and open_base_dir would help this ), maybe there might be some exploit that I don't know about that allows for them to hack in and run a cron, or just the script itself. I also like challenges even if they seem pointless. They might be handy down the road. I understand that this question may be solved in numerous ways, but I would still like to know the answer.
Is it possible to restrict files in a directory from being included or required, but still allow for them to be moved.
Re: restrict php includes in a directory
If by /tmp you mean linux /tmp location, then you can add to fstab to not execute ANY code from that folder.
If you mean some random /tmp folder like /home/user/tmp, then kill PHP executing with the help of .htaccess for the dir you want.
Create .htaccess file and add this:
Upload to folder where you want to disable PHP.
If you mean some random /tmp folder like /home/user/tmp, then kill PHP executing with the help of .htaccess for the dir you want.
Create .htaccess file and add this:
Code: Select all
RemoveType application/x-httpd-php php
AddType text/html phpRe: restrict php includes in a directory
Geteburg,
Neither of those will work to prevent using include(). A PHP include file is not "executed" per se, it is just parsed and in effect "pasted" into the main running script, which is the one that is executed. The OP wanted a solution to restrict the directories that a a file can be include'd from, which is explained in the safe mode page on PHP.net, but he doesn't want to use safe mode for some reason, or hasn't read the page completely.
Neither of those will work to prevent using include(). A PHP include file is not "executed" per se, it is just parsed and in effect "pasted" into the main running script, which is the one that is executed. The OP wanted a solution to restrict the directories that a a file can be include'd from, which is explained in the safe mode page on PHP.net, but he doesn't want to use safe mode for some reason, or hasn't read the page completely.
Re: restrict php includes in a directory
Ah.. Missed the part where he says about users having account on his server.
Anyways, disabling PHP in tmp folder is very good thing to have! Actually, disabling executing any kind of scripts in /tmp folder is good! Other then that all i can say is that you disable some common functions (php.ini) that are known to be abused by script/hack wanna be kiddies and of course put the user into jail (non-php).
More things can be done to secure server just not with PHP.
And yes, stay away from safe_mode.. Thank god that in 6 its going away..
Anyways, disabling PHP in tmp folder is very good thing to have! Actually, disabling executing any kind of scripts in /tmp folder is good! Other then that all i can say is that you disable some common functions (php.ini) that are known to be abused by script/hack wanna be kiddies and of course put the user into jail (non-php).
More things can be done to secure server just not with PHP.
And yes, stay away from safe_mode.. Thank god that in 6 its going away..
-
ethanlifka
- Forum Newbie
- Posts: 5
- Joined: Mon Aug 11, 2008 1:03 pm
Re: restrict php includes in a directory
Thanks ghurtado and Geteburg.
Yes I have restricted all scripts from running in my tmp folder and that works great, but ghurtado is right. It doesn't stop another script from including it and running it.
Yes safe_mode has "safe_mode_include_dir" which can allow to restrict includes to a specific directory. I have used open_basedir, but I refuse to use anything that will be canceled in the future "SAFE_MODE". So I am trying to find a way around that. Rather then specifying the only dir for includes I would like to specify directories to not allow inlcudes.
Thanks again.
Yes I have restricted all scripts from running in my tmp folder and that works great, but ghurtado is right. It doesn't stop another script from including it and running it.
Yes safe_mode has "safe_mode_include_dir" which can allow to restrict includes to a specific directory. I have used open_basedir, but I refuse to use anything that will be canceled in the future "SAFE_MODE". So I am trying to find a way around that. Rather then specifying the only dir for includes I would like to specify directories to not allow inlcudes.
Thanks again.
Re: restrict php includes in a directory
I'm glad you got it worked out. Thank you for sharing the end result.