Jump to content


Photo

question


  • Please log in to reply
16 replies to this topic

#1 Ninjakreborn

Ninjakreborn
  • Members
  • PipPipPip
  • Information Technology Specialist
  • 3,922 posts
  • Age:33

Posted 25 July 2006 - 08:23 PM

i just tried this and it works
When I go to a website
www.domainname.com/php.ini
it pulls up the ini file for the site, isn't that a severe security risk, they immediately get to see all information about php's settings,  your version number, ALL the settings, and this is the same way with all sites, almost all sites have it to where it can be easily downloaded, is this a security issue at all, if so why is it set to be able to do that.

------

Business Website: http://www.infotechnologist.biz

Personal Website: http://www.joyelpuryear.com

Blog Site: http://www.realmofwriting.com
Services: Web development, application development, mobile development, and custom development. All services listed on my website.


#2 Ninjakreborn

Ninjakreborn
  • Members
  • PipPipPip
  • Information Technology Specialist
  • 3,922 posts
  • Age:33

Posted 25 July 2006 - 08:24 PM

actually it doesn't happen on all sites, phpfreaks doesn't and, msn doesn't but all of my sites do, and some others, how do I fix this, or is this not an issue, or what

------

Business Website: http://www.infotechnologist.biz

Personal Website: http://www.joyelpuryear.com

Blog Site: http://www.realmofwriting.com
Services: Web development, application development, mobile development, and custom development. All services listed on my website.


#3 freakus_maximus

freakus_maximus
  • Members
  • PipPipPip
  • Advanced Member
  • 177 posts

Posted 25 July 2006 - 09:10 PM

Doesn't happen on my site or any of my clients.

Sounds like a hosting company that does not have a setup I would trust.

#4 Ninjakreborn

Ninjakreborn
  • Members
  • PipPipPip
  • Information Technology Specialist
  • 3,922 posts
  • Age:33

Posted 25 July 2006 - 09:14 PM

Well other sites under that hosting has it either, is there a specific setting I need to set up to be able to do that, I never thought about that, I am scouring sites now trying to find other ones, I have found a few but not as many as I would have thought?

------

Business Website: http://www.infotechnologist.biz

Personal Website: http://www.joyelpuryear.com

Blog Site: http://www.realmofwriting.com
Services: Web development, application development, mobile development, and custom development. All services listed on my website.


#5 Ninjakreborn

Ninjakreborn
  • Members
  • PipPipPip
  • Information Technology Specialist
  • 3,922 posts
  • Age:33

Posted 25 July 2006 - 09:18 PM

I called the hosting company, and he checked his site that is hosted by bluehost he said it wasdoing the same thing and that is strange, he is checking in on it now.

------

Business Website: http://www.infotechnologist.biz

Personal Website: http://www.joyelpuryear.com

Blog Site: http://www.realmofwriting.com
Services: Web development, application development, mobile development, and custom development. All services listed on my website.


#6 Ninjakreborn

Ninjakreborn
  • Members
  • PipPipPip
  • Information Technology Specialist
  • 3,922 posts
  • Age:33

Posted 25 July 2006 - 09:20 PM

ok how would I put something in htaccess to stop that file from getting access, he said it was because they allow everyone on the server access to there own php.ini file, because of that, ti does that, I can do something with htaccess, anya dvice on what?

------

Business Website: http://www.infotechnologist.biz

Personal Website: http://www.joyelpuryear.com

Blog Site: http://www.realmofwriting.com
Services: Web development, application development, mobile development, and custom development. All services listed on my website.


#7 trq

trq
  • Staff Alumni
  • Advanced Member
  • 31,041 posts

Posted 25 July 2006 - 11:46 PM

<Files ~ "^\.ini">
  Order allow,deny
  Deny from all
</Files>


#8 Ninjakreborn

Ninjakreborn
  • Members
  • PipPipPip
  • Information Technology Specialist
  • 3,922 posts
  • Age:33

Posted 26 July 2006 - 12:12 AM

thanks

------

Business Website: http://www.infotechnologist.biz

Personal Website: http://www.joyelpuryear.com

Blog Site: http://www.realmofwriting.com
Services: Web development, application development, mobile development, and custom development. All services listed on my website.


#9 Ninjakreborn

Ninjakreborn
  • Members
  • PipPipPip
  • Information Technology Specialist
  • 3,922 posts
  • Age:33

Posted 26 July 2006 - 12:37 PM

I tried that but for some reason it didn't work, any more advice on how to stop it from displaying.

------

Business Website: http://www.infotechnologist.biz

Personal Website: http://www.joyelpuryear.com

Blog Site: http://www.realmofwriting.com
Services: Web development, application development, mobile development, and custom development. All services listed on my website.


#10 trq

trq
  • Staff Alumni
  • Advanced Member
  • 31,041 posts

Posted 26 July 2006 - 02:04 PM

Sorry... my bad. try this...
<Files ~ "*.ini">
  Order allow,deny
  Deny from all
</Files>


#11 wildteen88

wildteen88
  • Staff Alumni
  • Advanced Member
  • 10,482 posts
  • LocationUK, Bournemouth

Posted 26 July 2006 - 02:07 PM

Looks like your host has setup an alias within the server config file. However they appear of missconfigured something as it is not a good idea to allow someone to type in php.ini in the browser to view php setup, instead they should display the phpinfo, rather than the raw php.ini file. Looks your host doesnt quite know what they are doing!

#12 Ninjakreborn

Ninjakreborn
  • Members
  • PipPipPip
  • Information Technology Specialist
  • 3,922 posts
  • Age:33

Posted 26 July 2006 - 02:08 PM

I am going to fix that, with the php thing that he showed me for all my clients, and call them, and tell them they have to figure out a way to fix that, I have asked other developers, and that means it's misconfigured.

------

Business Website: http://www.infotechnologist.biz

Personal Website: http://www.joyelpuryear.com

Blog Site: http://www.realmofwriting.com
Services: Web development, application development, mobile development, and custom development. All services listed on my website.


#13 trq

trq
  • Staff Alumni
  • Advanced Member
  • 31,041 posts

Posted 26 July 2006 - 02:11 PM

Shared hosts running php as a CGI allow each site to create there own php.ini files within there application tree structure, that is what we are seeing.

However, you are correct. The configuration directive I posted really ought to be implimented in the server wide httpd.conf, not on a per user basis.

#14 Ninjakreborn

Ninjakreborn
  • Members
  • PipPipPip
  • Information Technology Specialist
  • 3,922 posts
  • Age:33

Posted 26 July 2006 - 02:34 PM

I treid that one, and this time it gave me an interal server error 500, any advice?

------

Business Website: http://www.infotechnologist.biz

Personal Website: http://www.joyelpuryear.com

Blog Site: http://www.realmofwriting.com
Services: Web development, application development, mobile development, and custom development. All services listed on my website.


#15 trq

trq
  • Staff Alumni
  • Advanced Member
  • 31,041 posts

Posted 26 July 2006 - 02:53 PM

Lets try a more direct approuch.
<Files php.ini>
  Order allow,deny
  Deny from all
</Files>


#16 Ninjakreborn

Ninjakreborn
  • Members
  • PipPipPip
  • Information Technology Specialist
  • 3,922 posts
  • Age:33

Posted 26 July 2006 - 02:57 PM

Ah perfect, I will use that in all my websites from now on, that I do with that company, I am going to sit down with teh company for awhile too, and explain to them the dangers of this, and tell them that they need to change it.

------

Business Website: http://www.infotechnologist.biz

Personal Website: http://www.joyelpuryear.com

Blog Site: http://www.realmofwriting.com
Services: Web development, application development, mobile development, and custom development. All services listed on my website.


#17 trq

trq
  • Staff Alumni
  • Advanced Member
  • 31,041 posts

Posted 26 July 2006 - 03:27 PM

All they need do is add that snippet to the servers httpd.conf file and the problem is solved. Im sure however that they are aware of this, and for some reason they regard this type of thing as your responsibility. All they do is provide you a publicly available web root. Its up to you to protect what is in it.

PS: Did you get an email from me the other day?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users