Re: Deny Access To configuration file using php scripts

• Previous message: Suramya Tomar: "Re: Deny Access To configuration file using php scripts"
• In reply to: Suramya Tomar: "Re: Deny Access To configuration file using php scripts"
• Next in thread: Joachim Schipper: "Re: Deny Access To configuration file using php scripts"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Suramya Tomar <security@suramya.com>
Date: Wed, 02 Mar 2005 08:59:17 +0100

Hi.

My question is, if there is some patch, or workaround for php to allow
exec functions only for SOME apache virtual hosts... disable_functions
directive can not be overwritten via php_admin_value directive in
httpd.conf :-(

Jan

On Ut, 2005-03-01 at 18:58 -0500, Suramya Tomar wrote:
> Hi,
>
> > Hello i have a web server and i have a major problem
> > some of my users are trying to find my pass for my mysql database.
>
> My first suggestion would be to warn these users that this is not
> allowed and ban them from the system if they persist.
>
> > the first thing they do is a
> > system ('cat /var/www/path to config file');
> > inside a php script
>
>
> There are a couple of things you can try, First you can use apache
> directives to deny access to the file. To do that add the following text
> to the httpd.conf file:
>
> <Files ~ "\.inc$">
> Order allow, deny
> Deny from all
> </Files>
>
> This would prevent all files with the .inc extension from being viewed
> via the web.
>
> The second thing I would suggest is to disable access to the system()
> function unless you really really need it. You can do that in the
> php.ini file by using the disable_functions directive. It allows you to
> define a comma-delimited list of functions to be disabled within PHP.
> (http://www.onlamp.com/pub/a/php/2001/02/15/php_admin.html)
>
> Hope this helps.
>
> - Suramya
>

• Previous message: Suramya Tomar: "Re: Deny Access To configuration file using php scripts"
• In reply to: Suramya Tomar: "Re: Deny Access To configuration file using php scripts"
• Next in thread: Joachim Schipper: "Re: Deny Access To configuration file using php scripts"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: PHP Instalation problems. Browser doesnt know what to do ... This is loaded and run as a local server (for class ... PHP 5.2.0 from php-5.2.0-win32-installer.msi ... # configuration directives that give the server its instructions. ... (comp.lang.php) Re: PHP Instalation problems. Browser doesnt know what to do ... This is loaded and run as a local server (for class ... PHP 5.2.0 from php-5.2.0-win32-installer.msi ... # configuration directives that give the server its instructions. ... (comp.lang.php) auto_prepend_file not working with apache 2.2, windows xp and ph ... In order for PHP ... different values for several directives, ... The environment variables are not hashed into the $_ENV. ... (e.g. by adding its signature to the Web server header). ... (alt.php) SV: SV: SV: [PHP] Sql support ... In order for PHP to ... The value can be a string, a number, a PHP constant, ... different values for several directives, in order to improve performance, ... The environment variables are not hashed into the $_ENV. ... (php.general) Help with php5 install under windows ... This includes moving php from the ... Enable the PHP scripting language engine under Apache. ... or per-virtualhost web server configuration file. ... The PHP directives register_globals, ... (php.general)