Restricting script access, but not web

Blaher · 10-20-2009, 07:21 PM

I'll have to set up a example, so I can explain this better.
Say I have the following directory setup:

/public_html/
- /config.php
- /index.php
- /inc/
- /site1/
- /site2/

In /public_html I have the domain rootsite.com pointing to /public_html/ I have site1.com pointing to /public_html/site1/ and site2.com to /public_html/site2/.

Now the problem is there could be a injected file in /site1 that uses:

PHP Code:


			
<?php
    include('../config.php');
    echo $password,'\n';
    include('../site2/config.php');
    echo $password,'\n';

    $fh = fopen('../index.php', 'w');
    fwrite($fh, "You've been hacked\n");
    fclose($fh);
?>

I want to restrict this somehow from happening, without blocking web access. Anything with htaccess I can implement?

tomws · 10-20-2009, 09:40 PM

Here's what Drupal uses to protect the vulnerable files:

Code:

# Protect files and directories from prying eyes.
<FilesMatch "\.(engine|inc|info|install|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format)$">
  Order allow,deny
</FilesMatch>

Files and FilesMatch are neighbors in the documentation.

Restricting PHP uploads would be a good idea.

Blaher · 10-20-2009, 10:24 PM

That doesn't restrict php include access, only web access.

It's also not file uploading I'm worried about, I'm very secure with my programming. /site1 and /site2 are my friend's websites. I can't depend on them from protecting their php forms from catching any file injections. This is just an extra score of security.

tomws · 10-20-2009, 10:43 PM

Ah. Well, that makes more sense. I'd keep away from having multiple users under one hosting account, but you didn't ask for that kind of advise.

There may be some htaccess magic to handle this, but it's beyond my skill, if so. If not, you're pretty much completely exposed and at the mercy of your buddies. Good luck.

Blaher · 10-21-2009, 12:00 AM

I could make a .htaccess like the following and throw it in to /site1:

Code:

<Directory [path to public_html]>
    Options -Includes
    Deny from All
</Directory>
<Directory [path to public_html]/site1/>
    Options +Includes
    Allow from All
</Directory>

However, due that I can't use <Directory> in .htaccess, this stops me from doing that. Is there an alternative for doing something like that?

I'm also not sure if this will stop php from writing to the public_html files, but I'll test it and give you an update.

tomws · 10-21-2009, 12:39 AM

I don't think the Options +Includes is going to help. Unless I'm mistaken, that's going to apply only to server side includes.

Have you considered any PHP voodoo to accomplish this? I ran across this page where it shows an intersting lock-and-key method for some light access control (scroll down to the "Lock 'em up" section).

Blaher · 10-21-2009, 01:21 AM

Shoot, I was too excited that I found a solution that might help, I was only concerned that it was for php includes. The link you sent me is helpful, since I already have htaccess block web access and it also doesn't stop file writing.

The config.php can also be easily read with the following injected script, even with that method being used:

PHP Code:


			
<?php
    $filename = '../config.php';
    $fh = fopen($filename, 'r');
    fread($fh,  filesize($filename));
    fclose($fh);
?>

Thanks anyways for trying to help.