Re: Deny Access To configuration file using php scripts
From: Suramya Tomar (security_at_suramya.com)
Date: 03/02/05
- Previous message: Scott Fagg: "RE: Deny Access To configuration file using php scripts"
- Maybe in reply to: raT: "Deny Access To configuration file using php scripts"
- Next in thread: Igor Plisco: "Re: Deny Access To configuration file using php scripts"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 01 Mar 2005 21:26:29 -0500 To: Scott Fagg <scott.fagg@arup.com.au>, focus-linux@securityfocus.com
Hi,
>>There are a couple of things you can try, First you can use apache
>>directives to deny access to the file. To do that add the
>>following text
>>to the httpd.conf file:
>>
>><Files ~ "\.inc$">
>> Order allow, deny
>> Deny from all
>></Files>
>
>
> While that may stop the web-server from server the files up, it would
> not stop a php script from accessing the files.
>
> I'm not sure that this can easily be solved. If the file needs to be
> readable by apache, then it can also be read by any other process
> running as the same user as apache, which would be every php script.
>
> If you are using virtual hosts, then you may be able to solve the
> problem using apaches per-user virtual-host configuration. This allows
> scripts to run as someone other than 'nobody' (or whoever apache is
> running as).
>
You could also create the config file with a .php extension so even when
the user is able to include the file it would be interpreted by PHP and
it would only show a blank screen to the user over the web.
>>The second thing I would suggest is to disable access to the system()
>
> They could also use functions like fopen(), require(), include(), etc to
> read the files.
True, but if the file is intepretted by PHP then it would be that big a
problem.
Actually instead of trying to find a tech solution to this, I would just
ban the guilty users from the server. No access = No hack attempts.
- Suramya
-- ---------------------------------------------------------- Some days you're the dog; some days you're the hydrant. ---------------------------------------------------------- Name : Suramya Tomar Homepage URL: http://www.suramya.com ------------------------------------------------- ************************************************************ Disclaimer: Any errors in spelling, tact, or fact are transmission errors. ************************************************************
- Previous message: Scott Fagg: "RE: Deny Access To configuration file using php scripts"
- Maybe in reply to: raT: "Deny Access To configuration file using php scripts"
- Next in thread: Igor Plisco: "Re: Deny Access To configuration file using php scripts"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
