Re: [PHP] PHP Security - view source code
Dear all, One more measure thing to stop getting the source code with .inc is to deny the files which has inc extension in Apache httpd.conf itself with DIRECTORY configuration. with regards, Sukumar .S On Thu, 17 Jan 2002, Radu Filip wrote: Date: Thu, 17 Jan 2002 02:10:01 +0200 (EET) From: Radu Filip [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] [EMAIL PROTECTED] Subject: Re: [PHP] PHP Security - view source code On Thu, 17 Jan 2002, [EMAIL PROTECTED] wrote: I've seen a number of sites for example that didn't have the .inc extension registered, include() doesn't care about that, but if your includes are under the document root of your website (that happens a lot too, i don't know why ?) and you specify the exact name of the include in your browser (or worse, the directory is browsable from the web), the webserver will default to text/plain content and display the source. Bad thing since includes usually contain passwords and stuff. I agree with this, since I saw such mistakes wit my own eyes. IMHO, the best way to avoid this kind of problems is to: (1) avoid using .inc files; use .php files like for normal script (2) turn Indexes directive to off by default per website (3) make directories 711 instead of 755 (4) develop an organized php scripts structure outside DocumentRoot and place the files that you will eventually include in an include sudirectory within that structure (5) review changes all the time, check your weblogs and be vigillent :-) Ave, Socrate -- Radu Filip Network Administrator @ Technical University of Iasi [EMAIL PROTECTED] Information Technology and Communication Center http://socrate.tuiasi.ro/ [EMAIL PROTECTED] | http://ccti.tuiasi.ro/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- A real friend is one who walks in when the rest of the world walks out -- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] PHP Security - view source code
On Wednesday, January 16, 2002, at 07:22 PM, Christopher William Wesley wrote: If you are the server's admin, or know the person well, you can tighten the file permissions down more with a little administrative work ... adding a new group of which your user and the web server are a member, and only permitting access to your files to that group and yourself. On my Linux box, which is shared with several users (I am admin), I would like to do something like this -- if I created the group php, and added myself to that group, I could use files associated with the group php. My web server runs as nobody. Do I just add nobody to the /etc/groups entry for the group php ? Or are you talking about a more involved administrative setup... Thank you Erik -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] PHP Security - view source code
On Wednesday, January 16, 2002, at 08:04 PM, Rasmus Lerdorf wrote: No, it is safer to block access to .inc files with an httpd.conf rule. Allowing people to execute files that were meant to be included out of context could end up being much more dangerous than simply having people see the source. -Rasmus So the technique of adding .inc to the list of extensions in AddType application/x-httpd-php line and just having PHP parse them as PHP code is unwise? Or should a combination of the two be used -- parsing .inc files *AND* blocking access to them in httpd.conf? Erik -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] PHP Security - view source code
On Wednesday, January 16, 2002, at 08:04 PM, Rasmus Lerdorf wrote: No, it is safer to block access to .inc files with an httpd.conf rule. Allowing people to execute files that were meant to be included out of context could end up being much more dangerous than simply having people see the source. -Rasmus So the technique of adding .inc to the list of extensions in AddType application/x-httpd-php line and just having PHP parse them as PHP code is unwise? Or should a combination of the two be used -- parsing .inc files *AND* blocking access to them in httpd.conf? Correct, that is unwise. I would never register .inc as being PHP types for the very reason I stated. Execution code out of the context it was meant to be executed in is a very bad idea. -Rasmus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] PHP Security - view source code
on 1/17/02 9:21 AM, Erik Price at [EMAIL PROTECTED] wrote: On my Linux box, which is shared with several users (I am admin), I would like to do something like this -- if I created the group php, and added myself to that group, I could use files associated with the group php. My web server runs as nobody. Do I just add nobody to the /etc/groups entry for the group php ? Or are you talking about a more involved administrative setup... another possibility is to add yourself to whatever group the webserver runs as. my webserver runs as www.www so i added myself to the www group. -- mike cullerton michaelc at cullerton dot com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] PHP Security - view source code
Best solution still seems to be to keep those includes out of your document root. bvr. On Thu, 17 Jan 2002 08:41:37 -0800 (PST), Rasmus Lerdorf wrote: On Wednesday, January 16, 2002, at 08:04 PM, Rasmus Lerdorf wrote: No, it is safer to block access to .inc files with an httpd.conf rule. Allowing people to execute files that were meant to be included out of context could end up being much more dangerous than simply having people see the source. -Rasmus So the technique of adding .inc to the list of extensions in AddType application/x-httpd-php line and just having PHP parse them as PHP code is unwise? Or should a combination of the two be used -- parsing .inc files *AND* blocking access to them in httpd.conf? Correct, that is unwise. I would never register .inc as being PHP types for the very reason I stated. Execution code out of the context it was meant to be executed in is a very bad idea. -Rasmus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] PHP Security - view source code
How easy/hard is it to view the PHP source code when you're at website? I noticed when I was using Internet Explorer, if I pressed view source...it would show the HTML but not the PHP. -Phil
Re: [PHP] PHP Security - view source code
Well, if you do View Source on any browser, it will only show the source code of the HTML that the page has rendered, not the PHP/Perl/ASP/Cold Fusion/whatever that was used to generate the HTML code. So using View Source will never show you the programming behind the HTML. That said, I don't believe it is very easy to view the source code of a PHP program that generates a web page. If you can get into the server, you can see the program. I have never tried it, so I'm not sure. Standard security measures apply. Phil Schwarzmann wrote: How easy/hard is it to view the PHP source code when you're at website? I noticed when I was using Internet Explorer, if I pressed view source...it would show the HTML but not the PHP. -Phil -- Sliante, Richard S. Crawford mailto:[EMAIL PROTECTED] http://www.mossroot.com AIM: Buffalo2K ICQ: 11646404 Yahoo!: rscrawford MSN: [EMAIL PROTECTED] It is only with the heart that we see rightly; what is essential is invisible to the eye. --Antoine de Saint Exupery Push the button, Max! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] PHP Security - view source code
The PHP code is parsed and interpreted at the server level, and then returns only the output to the browser. It is not possible to view PHP code via view source. - Original Message - From: Phil Schwarzmann [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, January 16, 2002 1:03 PM Subject: [PHP] PHP Security - view source code How easy/hard is it to view the PHP source code when you're at website? I noticed when I was using Internet Explorer, if I pressed view source...it would show the HTML but not the PHP. -Phil -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] PHP Security - view source code
PHP is a server side language so the PHP engine parses all the php code in your webpage and then spits out html code. So when surfing through a website that uses PHP you will never see PHP code unless of course you screwed up and echoed the data :) Rick How wonderful it is that nobody need wait a single moment to improve the world. - Anne Frank From: Phil Schwarzmann [EMAIL PROTECTED] Date: Wed, 16 Jan 2002 16:03:45 -0500 To: [EMAIL PROTECTED] Subject: [PHP] PHP Security - view source code How easy/hard is it to view the PHP source code when you're at website? I noticed when I was using Internet Explorer, if I pressed view source...it would show the HTML but not the PHP. -Phil -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] PHP Security - view source code
The entire page, PHP with HTML, is sent to the PHP engine. It follows the instructions of the PHP code, outputting only HTML and error messages, and then hands the data to the web server which sends it to your browser. Unless something damages the PHP engine, causing the webserver to serve the pages without being pre-parsed by PHP, the PHP should never be revealed in the user's browser -- in fact it should never be sent at all. That's why if you keep your database connection information in an include file, it is recommended to make sure that you give that file the appropriate extension to be parsed by PHP, so that the data doesn't get sent out if the page is requested (it gets turned into PHP code which isn't passed along). But of course, if something damaged the PHP pre-parser then you'd still be up a river. Erik On Wednesday, January 16, 2002, at 04:03 PM, Phil Schwarzmann wrote: How easy/hard is it to view the PHP source code when you're at website? I noticed when I was using Internet Explorer, if I pressed view source...it would show the HTML but not the PHP. -Phil -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] PHP Security - view source code
Apart from unfortunately placed ? 's or 's this is possible. A very common mistake is not to register all of your php file extensions with apache. I've seen a number of sites for example that didn't have the .inc extension registered, include() doesn't care about that, but if your includes are under the document root of your website (that happens a lot too, i don't know why ?) and you specify the exact name of the include in your browser (or worse, the directory is browsable from the web), the webserver will default to text/plain content and display the source. Bad thing since includes usually contain passwords and stuff. bvr. On Wed, 16 Jan 2002 13:19:20 -0800, Richard Baskett wrote: PHP is a server side language so the PHP engine parses all the php code in your webpage and then spits out html code. So when surfing through a website that uses PHP you will never see PHP code unless of course you screwed up and echoed the data :) Rick How wonderful it is that nobody need wait a single moment to improve the world. - Anne Frank From: Phil Schwarzmann [EMAIL PROTECTED] Date: Wed, 16 Jan 2002 16:03:45 -0500 To: [EMAIL PROTECTED] Subject: [PHP] PHP Security - view source code How easy/hard is it to view the PHP source code when you're at website? I noticed when I was using Internet Explorer, if I pressed view source...it would show the HTML but not the PHP. -Phil -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] PHP Security - view source code
On Thu, 17 Jan 2002, [EMAIL PROTECTED] wrote: I've seen a number of sites for example that didn't have the .inc extension registered, include() doesn't care about that, but if your includes are under the document root of your website (that happens a lot too, i don't know why ?) and you specify the exact name of the include in your browser (or worse, the directory is browsable from the web), the webserver will default to text/plain content and display the source. Bad thing since includes usually contain passwords and stuff. I agree with this, since I saw such mistakes wit my own eyes. IMHO, the best way to avoid this kind of problems is to: (1) avoid using .inc files; use .php files like for normal script (2) turn Indexes directive to off by default per website (3) make directories 711 instead of 755 (4) develop an organized php scripts structure outside DocumentRoot and place the files that you will eventually include in an include sudirectory within that structure (5) review changes all the time, check your weblogs and be vigillent :-) Ave, Socrate -- Radu Filip Network Administrator @ Technical University of Iasi [EMAIL PROTECTED] Information Technology and Communication Center http://socrate.tuiasi.ro/ [EMAIL PROTECTED] | http://ccti.tuiasi.ro/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] PHP Security - view source code
On Thu, 17 Jan 2002, [EMAIL PROTECTED] wrote: I've seen a number of sites for example that didn't have the .inc extension registered, include() doesn't care about that, but if your includes are under the document root of your website (that happens a lot too, i don't know why ?) and you specify the exact name of the include in your browser (or worse, the directory is browsable from the web), the webserver will default to text/plain content and display the source. Bad thing since includes usually contain passwords and stuff. It also doesn't make a difference to PHP if your include files are in the web server's document root, or not. If you have important information in your include files, you'll be better off placing them in a directory which is not in your web server's document root. The web server will still need to access them, so you'll probably have to leave the permissions on the directory/files such that any users on the local system can read them (just like docs in the web root ... this is not a change), but at least the whole world isn't one HTTP request away from obtaining your important information. If you are the server's admin, or know the person well, you can tighten the file permissions down more with a little administrative work ... adding a new group of which your user and the web server are a member, and only permitting access to your files to that group and yourself. ~Chris /\ \ / September 11, 2001 X We Are All New Yorkers / \ rm -rf /bin/laden -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] PHP Security - view source code
On Thu, 17 Jan 2002, [EMAIL PROTECTED] wrote: I've seen a number of sites for example that didn't have the .inc extension registered, include() doesn't care about that, but if your includes are under the document root of your website (that happens a lot too, i don't know why ?) and you specify the exact name of the include in your browser (or worse, the directory is browsable from the web), the webserver will default to text/plain content and display the source. Bad thing since includes usually contain passwords and stuff. I agree with this, since I saw such mistakes wit my own eyes. IMHO, the best way to avoid this kind of problems is to: (1) avoid using .inc files; use .php files like for normal script No, it is safer to block access to .inc files with an httpd.conf rule. Allowing people to execute files that were meant to be included out of context could end up being much more dangerous than simply having people see the source. -Rasmus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] PHP Security - view source code
on 1/16/02 6:04 PM, Rasmus Lerdorf at [EMAIL PROTECTED] wrote: On Thu, 17 Jan 2002, [EMAIL PROTECTED] wrote: (1) avoid using .inc files; use .php files like for normal script No, it is safer to block access to .inc files with an httpd.conf rule. Allowing people to execute files that were meant to be included out of context could end up being much more dangerous than simply having people see the source. here is that httpd.conf rule stolen from an earlier post by Rasmus Files ~ \.inc$ Order allow,deny Deny from all /Files with this rule, if someone requests a file ending in .inc, apache won't deliver it. however, php will still be allowed to include those files itself. -- mike cullerton michaelc at cullerton dot com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]