Jump to content

Archived

This topic is now archived and is closed to further replies.

Ninjakreborn

question

Recommended Posts

i just tried this and it works
When I go to a website
www.domainname.com/php.ini
it pulls up the ini file for the site, isn't that a severe security risk, they immediately get to see all information about php's settings,  your version number, ALL the settings, and this is the same way with all sites, almost all sites have it to where it can be easily downloaded, is this a security issue at all, if so why is it set to be able to do that.

Share this post


Link to post
Share on other sites
actually it doesn't happen on all sites, phpfreaks doesn't and, msn doesn't but all of my sites do, and some others, how do I fix this, or is this not an issue, or what

Share this post


Link to post
Share on other sites
Well other sites under that hosting has it either, is there a specific setting I need to set up to be able to do that, I never thought about that, I am scouring sites now trying to find other ones, I have found a few but not as many as I would have thought?

Share this post


Link to post
Share on other sites
I called the hosting company, and he checked his site that is hosted by bluehost he said it wasdoing the same thing and that is strange, he is checking in on it now.

Share this post


Link to post
Share on other sites
ok how would I put something in htaccess to stop that file from getting access, he said it was because they allow everyone on the server access to there own php.ini file, because of that, ti does that, I can do something with htaccess, anya dvice on what?

Share this post


Link to post
Share on other sites
[code]
<Files ~ "^\.ini">
  Order allow,deny
  Deny from all
</Files>
[/code]

Share this post


Link to post
Share on other sites
I tried that but for some reason it didn't work, any more advice on how to stop it from displaying.

Share this post


Link to post
Share on other sites
Sorry... my bad. try this...
[code]
<Files ~ "*.ini">
  Order allow,deny
  Deny from all
</Files>
[/code]

Share this post


Link to post
Share on other sites
Looks like your host has setup an alias within the server config file. However they appear of missconfigured something as it is not a good idea to allow someone to type in php.ini in the browser to view php setup, instead they should display the phpinfo, rather than the raw php.ini file. Looks your host doesnt quite know what they are doing!

Share this post


Link to post
Share on other sites
I am going to fix that, with the php thing that he showed me for all my clients, and call them, and tell them they have to figure out a way to fix that, I have asked other developers, and that means it's misconfigured.

Share this post


Link to post
Share on other sites
Shared hosts running php as a CGI allow each site to create there own php.ini files within there application tree structure, that is what we are seeing.

However, you are correct. The configuration directive I posted really ought to be implimented in the server wide httpd.conf, not on a per user basis.

Share this post


Link to post
Share on other sites
I treid that one, and this time it gave me an interal server error 500, any advice?

Share this post


Link to post
Share on other sites
Lets try a more direct approuch.
[code]
<Files php.ini>
  Order allow,deny
  Deny from all
</Files>
[/code]

Share this post


Link to post
Share on other sites
Ah perfect, I will use that in all my websites from now on, that I do with that company, I am going to sit down with teh company for awhile too, and explain to them the dangers of this, and tell them that they need to change it.

Share this post


Link to post
Share on other sites
All they need do is add that snippet to the servers httpd.conf file and the problem is solved. Im sure however that they are aware of this, and for some reason they regard this type of thing as your responsibility. All they do is provide you a publicly available web root. Its up to you to protect what is in it.

PS: Did you get an email from me the other day?

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.