question

[Ninjakreborn]

i just tried this and it works
When I go to a website
www.domainname.com/php.ini
it pulls up the ini file for the site, isn't that a severe security risk, they immediately get to see all information about php's settings,  your version number, ALL the settings, and this is the same way with all sites, almost all sites have it to where it can be easily downloaded, is this a security issue at all, if so why is it set to be able to do that.

[Ninjakreborn]

actually it doesn't happen on all sites, phpfreaks doesn't and, msn doesn't but all of my sites do, and some others, how do I fix this, or is this not an issue, or what

[freakus_maximus]

Doesn't happen on my site or any of my clients.

Sounds like a hosting company that does not have a setup I would trust.

[Ninjakreborn]

Well other sites under that hosting has it either, is there a specific setting I need to set up to be able to do that, I never thought about that, I am scouring sites now trying to find other ones, I have found a few but not as many as I would have thought?

[Ninjakreborn]

I called the hosting company, and he checked his site that is hosted by bluehost he said it wasdoing the same thing and that is strange, he is checking in on it now.

[Ninjakreborn]

ok how would I put something in htaccess to stop that file from getting access, he said it was because they allow everyone on the server access to there own php.ini file, because of that, ti does that, I can do something with htaccess, anya dvice on what?

[trq]

[code]
<Files ~ "^\.ini">
  Order allow,deny
  Deny from all
</Files>
[/code]

[Ninjakreborn]

thanks

[Ninjakreborn]

I tried that but for some reason it didn't work, any more advice on how to stop it from displaying.

[trq]

Sorry... my bad. try this...
[code]
<Files ~ "*.ini">
  Order allow,deny
  Deny from all
</Files>
[/code]

[wildteen88]

Looks like your host has setup an alias within the server config file. However they appear of missconfigured something as it is not a good idea to allow someone to type in php.ini in the browser to view php setup, instead they should display the phpinfo, rather than the raw php.ini file. Looks your host doesnt quite know what they are doing!

[Ninjakreborn]

I am going to fix that, with the php thing that he showed me for all my clients, and call them, and tell them they have to figure out a way to fix that, I have asked other developers, and that means it's misconfigured.

[trq]

Shared hosts running php as a CGI allow each site to create there own php.ini files within there application tree structure, that is what we are seeing.

However, you are correct. The configuration directive I posted really ought to be implimented in the server wide httpd.conf, not on a per user basis.

[Ninjakreborn]

I treid that one, and this time it gave me an interal server error 500, any advice?

[trq]

Lets try a more direct approuch.
[code]
<Files php.ini>
  Order allow,deny
  Deny from all
</Files>
[/code]

[Ninjakreborn]

Ah perfect, I will use that in all my websites from now on, that I do with that company, I am going to sit down with teh company for awhile too, and explain to them the dangers of this, and tell them that they need to change it.

[trq]

All they need do is add that snippet to the servers httpd.conf file and the problem is solved. Im sure however that they are aware of this, and for some reason they regard this type of thing as your responsibility. All they do is provide you a publicly available web root. Its up to you to protect what is in it.

PS: Did you get an email from me the other day?