Jump to content

Recommended Posts

I've got a shared hosting account, and my problem is that it allows viewing ini files. I tried using this:

 

<Files rbg.ini>

order deny,allow

allow from localhost

deny from all

</Files>

 

in an .htaccess file, but then the php script that needs to parse rbg.ini can't access it. Am I doing this wrong?

Link to comment
https://forums.phpfreaks.com/topic/88986-protect-ini-file-on-shared-hosting/
Share on other sites

But visitors on that specified domain will still be able to access the file ???

Since PHP has access to the full file system with the same rights as the O/S user you have created to run it - why not put the file outside the Apache folder tree?

I keep my PHP config files and much of my PHP code generally outside the Apache tree in other folders where only the PHP process has access.

madmax,

 

How would a visitor access this ini file? If I browse to http://www.mysite.com/rbg.ini I am not able to see the ini anymore. How is it possible for somebody to browse the ini file? I am on shared hosting, and they don't allow anything above root.

Unless you have other overriding rights restrictions the example code you gave would restrict access to only those accessing via "mysite.com" and deny everyone else. Those denied and excluded by rule could *not* access of course - but those accessing mysite.com could (caveat: unless you have other restrictions in your config/.htaccess files)

 

If you do it this way then no matter who you exclude you will always permit at least one or more domain names access to the file whether this is immediately obvious or not. Putting INI files within the public folder tree is always rather risky since, even if you have a very good ruleset and are keen on security there is always the chance of a later modification to your config accidentally revealing the files to a hacker by unintentionally relaxing security.

 

For these reasons, although it may be convenient for maintenance, if you're really concerned about security then I'd deny access altogether or move the files out of the tree. If the code doesn't work this way then there's a problem with the app which should never have a dependency on revealing the config file to the public via HTTP.  Perhaps like... ?

 

http://httpd.apache.org/docs/2.0/mod/core.html#filesmatch

http://httpd.apache.org/docs/2.0/mod/mod_access.html#order

 

<FilesMatch "\.ini$">
#Deny always by default
Order Allow,Deny
Deny from all
#Allow yourself only on local machines
Allow from localhost
Allow from 192.168.
</Files>

 

You should get a 403 Denied error on attempting access.

 

Since PHP can easily access files and folders outside the Apache public folder-tree (subject to user access-rights) moving files there provides an immediate increase in protection. It is still not 100% safe though since bugs in your code or misconfigurations in PHP security might still allow a hacker to compromise your system in various ways.

 

Also - "Seeing" something is not the same as not being able to access it and vice-versa. There's a useful saying that "obscurity does not equal security". If you have a commonly-available software package with common INI files with common names in common locations then automated bots could make various attempts to retrieve them via HTTP using the domain "mysite.com" (even if not actually "visible" from elsewhere)

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.