Jump to content

External file access


freelance84

Recommended Posts

I'm not sure if this is the correct place for this one, if not i'm sure it will be corrected.

 

With regards to the PHP-security tutorial:

Section 5 talks about External file access and how everything but the index.php should be removed from the document root... I'm pretty confused and been trying to get my head around this for about 2hrs now, with google searches not really resulting in much.

 

Firstly, don't all the pages need to be in the public_html or one of its sub-directories?

 

Also, if something does go wrong and the user does see the directory tree, would they be able to right click and save to file any folder/file they wish? Or are they just simply able to view the different file names?

 

Please go easy with me one this one, it's all completely new and i'm just struggling to break in.

 

Thanks,

 

John

 

Link to comment
Share on other sites

You can turn Indexes off via a .htaccess file in apache - this would eliminate any way of retrieving a "Directory Listing".

But yes, External files are usually in a folder above the public_html. eg:

 

www/

  external_includes/

      config.php

  public_html/

      index.php

 

index.php would have a line like so:

include("../external_includes/config.php");

 

-cb-

Link to comment
Share on other sites

Ok, so if I turned Indexes off via the .htaccess, if Apache failed or something else the user would not be able to see anything but a blank page?

 

What if the Apache or something else failed during the login? Would this display the login.php to user in plain text?

Link to comment
Share on other sites

If apache failed, you would not even get access to the webserver.

If for some reason apache failed to load .htaccess files then yes they could technically get your directory tree, but directory trees arent that big a security threat in itself, it is when you have bad code design when it is a problem. for instance,

 

index.php

admin/

  delete_db.php

 

This is a problem that many Shopping Carts and CMS scripts had - these files could be remotely activated by using specific GET requests.

This would allow someone to know where to strike first.

 

If you truly are worried about your directory tree being viewed, then yes use the external file method as outlined above. But technically you should never need to hide your directory tree, if your worried about security, get people you know (phpfreaks beta test forums is a good place) to try to hack it and close the gaps.

 

-cb-

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.