Re: [PHP] securing an 'includes' dir

2002-07-02 Thread Richard Lynch

>>> "Justin French" <[EMAIL PROTECTED]> wrote in message
>>> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 1. Name all included files .inc
>>> 
>>> If you name them *.php then put anything in them inside a function, then
>>> when the user browses to that file he/she won't see anything at all.
>> 
>> You've already moved them out of the web tree so that they can't browse to
>> them in the first place...
>
>Actually, the OP was about securing an includes directory which COULD NOT be
>placed outside the docroot.

Change web hosts. :-)

Seriously.

It's cheaper than buying the Zend Encoder (or knock-off copies thereof),
which is your only other real alternative.

The rest of your options aren't worth considering, unless you just don't
care if your db data is publicly write-able or not.

-- 
Like Music?  http://l-i-e.com/artists.htm


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] securing an 'includes' dir

2002-07-02 Thread Jason Wong

On Tuesday 02 July 2002 18:02, Justin French wrote:
> on 02/07/02 5:41 PM, Richard Lynch ([EMAIL PROTECTED]) wrote:
> >> "Justin French" <[EMAIL PROTECTED]> wrote in message
> >> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> >>
> >>> 1. Name all included files .inc
> >>
> >> If you name them *.php then put anything in them inside a function, then
> >> when the user browses to that file he/she won't see anything at all.
> >
> > You've already moved them out of the web tree so that they can't browse
> > to them in the first place...
>
> Actually, the OP was about securing an includes directory which COULD NOT
> be placed outside the docroot.

Can we kill this thread. Please? It's going round and round in circles.

-- 
Jason Wong -> Gremlins Associates -> www.gremlins.com.hk
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *

/*
Violence is molding.
*/


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] securing an 'includes' dir

2002-07-02 Thread Justin French

on 02/07/02 5:41 PM, Richard Lynch ([EMAIL PROTECTED]) wrote:

>> "Justin French" <[EMAIL PROTECTED]> wrote in message
>> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
>>> 1. Name all included files .inc
>> 
>> If you name them *.php then put anything in them inside a function, then
>> when the user browses to that file he/she won't see anything at all.
> 
> You've already moved them out of the web tree so that they can't browse to
> them in the first place...

Actually, the OP was about securing an includes directory which COULD NOT be
placed outside the docroot.

Justin French


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] securing an 'includes' dir

2002-07-02 Thread Richard Lynch

>"Justin French" <[EMAIL PROTECTED]> wrote in message
>[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
>> 1. Name all included files .inc
>
>If you name them *.php then put anything in them inside a function, then
>when the user browses to that file he/she won't see anything at all.

You've already moved them out of the web tree so that they can't browse to
them in the first place...

It's better to clearly denote them as *NOT* "entry point" .php (or .htm)
files than to possibly upload them into htdocs.

When you see .inc in htdocs, you know you screwed up.  Vice versa for .php
in your includes directory, which is not in htdocs.

Works for me. :-)

YMMV.

-- 
Like Music?  http://l-i-e.com/artists.htm


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] securing an 'includes' dir

2002-06-30 Thread Steve Yates

"Chris Shiflett" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Steve Yates wrote:
> >If you name them *.php then put anything in them inside a function, then
> >when the user browses to that file he/she won't see anything at all.
> >
> I think this is a very poor tactic, because it "covers up" the problem
> rather than doing anything about it.
>(...)
> It's much better to properly name your included files *.inc as suggested
> by Mr. French and either:
> 1. don't put them under document root (my preference)
> or:
> 2. configure your Web server to not allow access to .inc files

I guess I wasn't trying to say that my suggestion was a complete
solution, but one thing to consider.  For instance, what happens if the
.htaccess file is accidentally deleted?  Then there's no protection.  Or say
the host upgrades PHP or Apache and for whatever reason PHP files aren't
being parsed?  Then my suggestion doesn't solve things (but moving them
outside the htdocs structure will, if available as an option).

Is there an advantage to not putting code in included files inside
functions?  I wasn't sure if you were critiquing that part of my suggestion
also.

 - Steve Yates
 - Edit. Assemble. Link. Run. Curse. Boot.

/ Taglines by Taglinator - www.srtware.com /





-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] securing an 'includes' dir

2002-06-30 Thread Chris Shiflett

Steve Yates wrote:

>"Justin French" <[EMAIL PROTECTED]> wrote in message
>[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
>  
>
>>1. Name all included files .inc
>>
>>
>If you name them *.php then put anything in them inside a function, then
>when the user browses to that file he/she won't see anything at all.
>
I think this is a very poor tactic, because it "covers up" the problem 
rather than doing anything about it. You still allow people to access 
your modules directly, and worse, you allow them to execute these 
modules out of context. By restricting your modules to only allow 
function declarations, you also make things more difficult on yourself 
without any real benefit.

It's much better to properly name your included files *.inc as suggested 
by Mr. French and either:
1. don't put them under document root (my preference)
or:
2. configure your Web server to not allow access to .inc files

Chris




-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] securing an 'includes' dir

2002-06-30 Thread Steve Yates

"Justin French" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> 1. Name all included files .inc

If you name them *.php then put anything in them inside a function, then
when the user browses to that file he/she won't see anything at all.

 - Steve Yates
 - A fool and his money... Hey! Where's my wallet?

/ Taglines by Taglinator - www.srtware.com /





-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] securing an 'includes' dir

2002-06-28 Thread Erik Price


On Friday, June 28, 2002, at 04:25  AM, Nick Wilson wrote:

> How might I make an 'includes' dir inside the http root and stop users
> being able to browse it?

chmod go-rwx dirname

But this will probably stop the web server from reading the file.

Perhaps the administrators can provide a script (SUID) that allows a 
user to change the group association of the file to that of the web 
server?  Yet without making the user a part of the group itself, 
otherwise all users would be able to see all of these files...


Erik






Erik Price
Web Developer Temp
Media Lab, H.H. Brown
[EMAIL PROTECTED]


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] securing an 'includes' dir

2002-06-28 Thread Jason Wong

On Friday 28 June 2002 16:40, Nick Wilson wrote:
> * and then Jason Wong declared
>
> > If using Apache, you would set a directive to deny all access to that
> > directory.
>
> Gotcha. Can you domonstrate?

 
   Deny from All
 

Remember this is only safe from browsers. PHP itself can still access those 
files.

Combining this with all the other suggestions would make it pretty secure. 

-- 
Jason Wong -> Gremlins Associates -> www.gremlins.com.hk
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *

/*
The trouble with doing something right the first time is that nobody
appreciates how difficult it was.
*/


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] securing an 'includes' dir

2002-06-28 Thread Dan Hardiker

> 1. Name all included files .inc I do this for many reasons, but mainly
> to help me know which are executables, and which are includes.  It also
> helps with step 3.

Just for an added layer of security (incase step 3 isnt effective due to
mis-configuration or what have you), name them .inc.php and at the top of
the code put something like this (eg: filename == mysql.inc.php):

if ($SCRIPT_NAME=="/inc/mysql.inc.php")
  die("you shouldnt be talking to me!");

or if your really clever - you could throw a 404: not found or a 301:
access denied.

This also means that your script will be relatively harmless and the PHP
code would never be divulged. If it was in a .inc file alone, then if the
..htaccess wasnt being effective (or it was accidentally uploaded to an
alternate location) then it would be completely exposed.

> 3. Include a .htaccess file in the /inc/ directory (or further up
> towards your docroot with the following:
>
> 
> Order Allow,Deny
> Deny from all
> 

Change the first line to  in order to fit this more
secure procedure.

-- 
Dan Hardiker [[EMAIL PROTECTED]]
ADAM Software & Systems Engineer
First Creative Ltd



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] securing an 'includes' dir

2002-06-28 Thread Justin French

Assuming you have Apache/Unix (don't know about any other set-ups), I do the
following.

1. Name all included files .inc I do this for many reasons, but mainly to
help me know which are executables, and which are includes.  It also helps
with step 3.

2. I always keep them in a separate dir to the rest of my code, eg /inc/

3. Include a .htaccess file in the /inc/ directory (or further up towards
your docroot with the following:


Order Allow,Deny
Deny from all


Basically, it denies direct (http) access to all *.inc files.  This means
the only way you can use/view/execute .inc files is by things like include()
in another php script.  I believe that Apache spits out a 500 error page if
you try to access something.inc via the URL.


4. In addition (and a small deterrent in itself if step 3 is unavailable), I
include a blank or redirecting index.html file in the /inc/ directory, so
that they can't view the directory listing at all.


An additional security measure might be to ensure that only certain scripts
can access the inc files, but I haven't gone that far yet :)

I'm unsure how well this prevents other users on the server from accessing
the files though.


Unfortunately this will require the admin to allow you to use htaccess files
in your on disk hierarchy, or possibly requesting him/her to make the
changes needed themselves.


Justin French




on 28/06/02 6:25 PM, Nick Wilson ([EMAIL PROTECTED]) wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Hi all
> I'm setting up a site for a client and his host refuses to create (or
> allow me to) a directory outside of the http root.
> 
> How might I make an 'includes' dir inside the http root and stop users
> being able to browse it?
> 
> Many thanks
> - -- 
> Nick Wilson //  www.explodingnet.com
> 
> 
> 
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.0.6 (GNU/Linux)
> 
> iD8DBQE9HB1gHpvrrTa6L5oRApLKAJ40mAA4IZ1NUXnM8WIOZeqpY6pfGQCgl46y
> Frz+dRz/FyOCSvXdXl9MytE=
> =AAVD
> -END PGP SIGNATURE-


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] securing an 'includes' dir

2002-06-28 Thread Nick Wilson

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


* and then Jason Wong declared
> If using Apache, you would set a directive to deny all access to that 
> directory.

Gotcha. Can you domonstrate?

Cheers...
- -- 
Nick Wilson //  www.explodingnet.com



-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (GNU/Linux)

iD8DBQE9HCDsHpvrrTa6L5oRAuufAJ0apB2jZgTfjQdoCZXIUS6PeN4qrwCgrYdX
8owgJn47S1DUJtr+ys8shTI=
=1p01
-END PGP SIGNATURE-

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




RE: [PHP] securing an 'includes' dir

2002-06-28 Thread Brian McGarvie

and using IIS use windows security

> -Original Message-
> From: Jason Wong [mailto:[EMAIL PROTECTED]]
> Sent: 28 June 2002 9:31 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [PHP] securing an 'includes' dir
> 
> 
> On Friday 28 June 2002 16:25, Nick Wilson wrote:
> > Hi all
> > I'm setting up a site for a client and his host refuses to 
> create (or
> > allow me to) a directory outside of the http root.
> >
> > How might I make an 'includes' dir inside the http root and 
> stop users
> > being able to browse it?
> 
> If using Apache, you would set a directive to deny all access to that 
> directory.
> 
> -- 
> Jason Wong -> Gremlins Associates -> www.gremlins.com.hk
> Open Source Software Systems Integrators
> * Web Design & Hosting * Internet & Intranet Applications 
> Development *
> 
> /*
>   "How many people work here?"
>   "Oh, about half."
> */
> 
> 
> -- 
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 
> 

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] securing an 'includes' dir

2002-06-28 Thread Jason Wong

On Friday 28 June 2002 16:25, Nick Wilson wrote:
> Hi all
> I'm setting up a site for a client and his host refuses to create (or
> allow me to) a directory outside of the http root.
>
> How might I make an 'includes' dir inside the http root and stop users
> being able to browse it?

If using Apache, you would set a directive to deny all access to that 
directory.

-- 
Jason Wong -> Gremlins Associates -> www.gremlins.com.hk
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *

/*
"How many people work here?"
"Oh, about half."
*/


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




[PHP] securing an 'includes' dir

2002-06-28 Thread Nick Wilson

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi all
I'm setting up a site for a client and his host refuses to create (or
allow me to) a directory outside of the http root.

How might I make an 'includes' dir inside the http root and stop users
being able to browse it?

Many thanks
- -- 
Nick Wilson //  www.explodingnet.com



-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (GNU/Linux)

iD8DBQE9HB1gHpvrrTa6L5oRApLKAJ40mAA4IZ1NUXnM8WIOZeqpY6pfGQCgl46y
Frz+dRz/FyOCSvXdXl9MytE=
=AAVD
-END PGP SIGNATURE-

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php