Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 7 of 7
  1. #1
    Regular Coder
    Join Date
    Nov 2005
    Location
    North Canton, Ohio
    Posts
    118
    Thanks
    11
    Thanked 4 Times in 4 Posts

    Restricting script access, but not web

    I'll have to set up a example, so I can explain this better.
    Say I have the following directory setup:

    /public_html/
    - /config.php
    - /index.php
    - /inc/
    - /site1/
    - /site2/

    In /public_html I have the domain rootsite.com pointing to /public_html/ I have site1.com pointing to /public_html/site1/ and site2.com to /public_html/site2/.

    Now the problem is there could be a injected file in /site1 that uses:
    PHP Code:
    <?php
        
    include('../config.php');
        echo 
    $password,'\n';
        include(
    '../site2/config.php');
        echo 
    $password,'\n';

        
    $fh fopen('../index.php''w');
        
    fwrite($fh"You've been hacked\n");
        
    fclose($fh);
    ?>
    I want to restrict this somehow from happening, without blocking web access. Anything with htaccess I can implement?
    Last edited by Blaher; 10-20-2009 at 07:30 PM.

  • #2
    Senior Coder tomws's Avatar
    Join Date
    Nov 2007
    Location
    Arkansas
    Posts
    2,644
    Thanks
    29
    Thanked 330 Times in 326 Posts
    Here's what Drupal uses to protect the vulnerable files:
    Code:
    # Protect files and directories from prying eyes.
    <FilesMatch "\.(engine|inc|info|install|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format)$">
      Order allow,deny
    </FilesMatch>
    Files and FilesMatch are neighbors in the documentation.


    Restricting PHP uploads would be a good idea.
    Are you a Help Vampire?

  • #3
    Regular Coder
    Join Date
    Nov 2005
    Location
    North Canton, Ohio
    Posts
    118
    Thanks
    11
    Thanked 4 Times in 4 Posts
    That doesn't restrict php include access, only web access.

    It's also not file uploading I'm worried about, I'm very secure with my programming. /site1 and /site2 are my friend's websites. I can't depend on them from protecting their php forms from catching any file injections. This is just an extra score of security.
    Last edited by Blaher; 10-20-2009 at 10:27 PM.

  • #4
    Senior Coder tomws's Avatar
    Join Date
    Nov 2007
    Location
    Arkansas
    Posts
    2,644
    Thanks
    29
    Thanked 330 Times in 326 Posts
    Ah. Well, that makes more sense. I'd keep away from having multiple users under one hosting account, but you didn't ask for that kind of advise.

    There may be some htaccess magic to handle this, but it's beyond my skill, if so. If not, you're pretty much completely exposed and at the mercy of your buddies. Good luck.
    Are you a Help Vampire?

  • Users who have thanked tomws for this post:

    Blaher (10-20-2009)

  • #5
    Regular Coder
    Join Date
    Nov 2005
    Location
    North Canton, Ohio
    Posts
    118
    Thanks
    11
    Thanked 4 Times in 4 Posts
    I could make a .htaccess like the following and throw it in to /site1:

    Code:
    <Directory [path to public_html]>
        Options -Includes
        Deny from All
    </Directory>
    <Directory [path to public_html]/site1/>
        Options +Includes
        Allow from All
    </Directory>
    However, due that I can't use <Directory> in .htaccess, this stops me from doing that. Is there an alternative for doing something like that?

    I'm also not sure if this will stop php from writing to the public_html files, but I'll test it and give you an update.

  • #6
    Senior Coder tomws's Avatar
    Join Date
    Nov 2007
    Location
    Arkansas
    Posts
    2,644
    Thanks
    29
    Thanked 330 Times in 326 Posts
    I don't think the Options +Includes is going to help. Unless I'm mistaken, that's going to apply only to server side includes.

    Have you considered any PHP voodoo to accomplish this? I ran across this page where it shows an intersting lock-and-key method for some light access control (scroll down to the "Lock 'em up" section).
    Are you a Help Vampire?

  • #7
    Regular Coder
    Join Date
    Nov 2005
    Location
    North Canton, Ohio
    Posts
    118
    Thanks
    11
    Thanked 4 Times in 4 Posts
    Shoot, I was too excited that I found a solution that might help, I was only concerned that it was for php includes. The link you sent me is helpful, since I already have htaccess block web access and it also doesn't stop file writing.

    The config.php can also be easily read with the following injected script, even with that method being used:

    PHP Code:
    <?php
        $filename 
    '../config.php';
        
    $fh fopen($filename'r');
        
    fread($fh,  filesize($filename));
        
    fclose($fh);
    ?>
    Thanks anyways for trying to help.


  •  

    Tags for this Thread

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •