sKunKbad Posted February 2, 2008 Share Posted February 2, 2008 I've got a shared hosting account, and my problem is that it allows viewing ini files. I tried using this: <Files rbg.ini> order deny,allow allow from localhost deny from all </Files> in an .htaccess file, but then the php script that needs to parse rbg.ini can't access it. Am I doing this wrong? Quote Link to comment Share on other sites More sharing options...
sKunKbad Posted February 2, 2008 Author Share Posted February 2, 2008 This is what ended up working: <Files rbg.ini> order deny,allow deny from all allow from mysite.com </Files> Quote Link to comment Share on other sites More sharing options...
madmax Posted February 2, 2008 Share Posted February 2, 2008 But visitors on that specified domain will still be able to access the file ??? Since PHP has access to the full file system with the same rights as the O/S user you have created to run it - why not put the file outside the Apache folder tree? I keep my PHP config files and much of my PHP code generally outside the Apache tree in other folders where only the PHP process has access. Quote Link to comment Share on other sites More sharing options...
sKunKbad Posted February 3, 2008 Author Share Posted February 3, 2008 madmax, How would a visitor access this ini file? If I browse to http://www.mysite.com/rbg.ini I am not able to see the ini anymore. How is it possible for somebody to browse the ini file? I am on shared hosting, and they don't allow anything above root. Quote Link to comment Share on other sites More sharing options...
madmax Posted February 3, 2008 Share Posted February 3, 2008 Unless you have other overriding rights restrictions the example code you gave would restrict access to only those accessing via "mysite.com" and deny everyone else. Those denied and excluded by rule could *not* access of course - but those accessing mysite.com could (caveat: unless you have other restrictions in your config/.htaccess files) If you do it this way then no matter who you exclude you will always permit at least one or more domain names access to the file whether this is immediately obvious or not. Putting INI files within the public folder tree is always rather risky since, even if you have a very good ruleset and are keen on security there is always the chance of a later modification to your config accidentally revealing the files to a hacker by unintentionally relaxing security. For these reasons, although it may be convenient for maintenance, if you're really concerned about security then I'd deny access altogether or move the files out of the tree. If the code doesn't work this way then there's a problem with the app which should never have a dependency on revealing the config file to the public via HTTP. Perhaps like... ? http://httpd.apache.org/docs/2.0/mod/core.html#filesmatch http://httpd.apache.org/docs/2.0/mod/mod_access.html#order <FilesMatch "\.ini$"> #Deny always by default Order Allow,Deny Deny from all #Allow yourself only on local machines Allow from localhost Allow from 192.168. </Files> You should get a 403 Denied error on attempting access. Since PHP can easily access files and folders outside the Apache public folder-tree (subject to user access-rights) moving files there provides an immediate increase in protection. It is still not 100% safe though since bugs in your code or misconfigurations in PHP security might still allow a hacker to compromise your system in various ways. Also - "Seeing" something is not the same as not being able to access it and vice-versa. There's a useful saying that "obscurity does not equal security". If you have a commonly-available software package with common INI files with common names in common locations then automated bots could make various attempts to retrieve them via HTTP using the domain "mysite.com" (even if not actually "visible" from elsewhere) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.