Bugtraq mailing list archives
Re: Web based apps and include files.
From: Mads Bach <bach () INDER NET>
Date: Mon, 4 Dec 2000 03:29:54 +0100
Mads Bach wrote:
- Make sure your webserver won't serve up the include file as text (if you're using Apache, you can add a handler or an action for .inc files, for instance).
The reason I suggested using a handler, was to have additional control over what happens when somebody tries to access one of your protected files. A couple of people have written with additional suggestions: - Placing the include files in a protected directory (using .htaccess), when you don't have the option of placing them outside the webroot (Dustin Rue) - Using a Apache filter, like this (Julien Savoie): <Files ~ "\.phpincludes"> Order allow,deny Deny from all </Files> - Using the FilesMatch diretive, if you need full regular expression support in the filenames (James Lyon). Julien also raised the point, that this won't protect you from users who have access to the directories your files are in, if they are world-readable. You can mitigate this somewhat, if you can change the permissions, so that only the uid/gid of the webserver can read these files, but this won't help if a user can get the webserver to run his own scripts. This means, that if your site is being hosted on a server shared with other (untrusted) people, you'll probably have a hard time securing it against these people. /Mads -- "I can hardly imagining a week-long black mass including welding equipment and diamond-cutters." "No, but if they tried, they'd probably get signed to release a CD of Industrial music. Or prosecuted for violating health & safety regulations." - Andreas Buzh Skau and Tanuki in Scary Devil Monastary
Current thread:
- Web based apps and include files. Mads Bach (Dec 02)
- Re: Web based apps and include files. Mads Bach (Dec 05)