Apache rule/directive to stop serving PHP pages from /var/www/includes/

Apache rule/directive to stop serving PHP pages from /var/www/includes/

am 02.04.2010 04:07:58 von Daevid Vincent

(Sorry if this is a duplicate. I sent one earlier with "OT:" prefixing the
subject line and I think this list software kills the message despite being
proper netiquette. *sigh*)

I have your basic web tree setup.

developer@mypse:/var/www/dart2$ tree -d -I 'CVS'
|-- UPDATES
|-- ajax
|-- images
| |-- gui
| `-- icons
`-- includes
|-- classes
|-- css
|-- functions
| `-- xml
|-- gui
|-- js
| |-- charts
`-- pear
|-- Auth
|-- Benchmark
|-- DB
|-- Date
|-- File
|-- Spreadsheet
`-- XML_RPC

It's not ideal. I would normally have /includes/ in a directory outside the
servable webroot directory, but for various reasons I won't go into, this
is how it is.

Now I have Apache configured to NOT allow directory browsing.

I also have a index.html file in most all main directories to log attempts
and also redirect back to the main site.

What I don't know how to protect against is if someone were to KNOW the
name of a .php file. Say I have /includes/foo.inc.php for example, someone
can put that in their URL and apache will happily serve it up. :(

Is there a directive to prevent this?

I would think it should be doable since PHP reads the file directly off of
disk via a command like this and isn't really served perse:

require_once ROOTPATH.'/includes/functions/foo.inc.php';

Anyone? Anyone? Beuller? Beuller?


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Apache rule/directive to stop serving PHP pages from /var/www/includes/

am 02.04.2010 04:23:24 von Robert Cummings

Daevid Vincent wrote:
> (Sorry if this is a duplicate. I sent one earlier with "OT:" prefixing the
> subject line and I think this list software kills the message despite being
> proper netiquette. *sigh*)
>
> I have your basic web tree setup.
>
> developer@mypse:/var/www/dart2$ tree -d -I 'CVS'
> |-- UPDATES
> |-- ajax
> |-- images
> | |-- gui
> | `-- icons
> `-- includes
> |-- classes
> |-- css
> |-- functions
> | `-- xml
> |-- gui
> |-- js
> | |-- charts
> `-- pear
> |-- Auth
> |-- Benchmark
> |-- DB
> |-- Date
> |-- File
> |-- Spreadsheet
> `-- XML_RPC
>
> It's not ideal. I would normally have /includes/ in a directory outside the
> servable webroot directory, but for various reasons I won't go into, this
> is how it is.
>
> Now I have Apache configured to NOT allow directory browsing.
>
> I also have a index.html file in most all main directories to log attempts
> and also redirect back to the main site.
>
> What I don't know how to protect against is if someone were to KNOW the
> name of a .php file. Say I have /includes/foo.inc.php for example, someone
> can put that in their URL and apache will happily serve it up. :(
>
> Is there a directive to prevent this?
>
> I would think it should be doable since PHP reads the file directly off of
> disk via a command like this and isn't really served perse:
>
> require_once ROOTPATH.'/includes/functions/foo.inc.php';
>
> Anyone? Anyone? Beuller? Beuller?



Order allow,deny
Deny from all



Cheers,
Rob.
--
http://www.interjinn.com
Application and Templating Framework for PHP

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: Apache rule/directive to stop serving PHP pages from /var/www/includes/ [SOLVED]

am 02.04.2010 04:59:11 von Daevid Vincent

> -----Original Message-----
> From: Robert Cummings [mailto:robert@interjinn.com]
> Sent: Thursday, April 01, 2010 7:23 PM
> To: Daevid Vincent
> Cc: php-general@lists.php.net
> Subject: Re: [PHP] Apache rule/directive to stop serving PHP
> pages from /var/www/includes/
>
> Daevid Vincent wrote:
> > (Sorry if this is a duplicate. I sent one earlier with
> "OT:" prefixing the
> > subject line and I think this list software kills the
> message despite being
> > proper netiquette. *sigh*)
> >
> > I have your basic web tree setup.
> >
> > developer@mypse:/var/www/dart2$ tree -d -I 'CVS'
> > |-- UPDATES
> > |-- ajax
> > |-- images
> > | |-- gui
> > | `-- icons
> > `-- includes
> > |-- classes
> > |-- css
> > |-- functions
> > | `-- xml
> > |-- gui
> > |-- js
> > | |-- charts
> > `-- pear
> > |-- Auth
> > |-- Benchmark
> > |-- DB
> > |-- Date
> > |-- File
> > |-- Spreadsheet
> > `-- XML_RPC
> >
> > It's not ideal. I would normally have /includes/ in a
> directory outside the
> > servable webroot directory, but for various reasons I won't
> go into, this
> > is how it is.
> >
> > Now I have Apache configured to NOT allow directory browsing.
> >
> > I also have a index.html file in most all main directories
> to log attempts
> > and also redirect back to the main site.
> >
> > What I don't know how to protect against is if someone were
> to KNOW the
> > name of a .php file. Say I have /includes/foo.inc.php for
> example, someone
> > can put that in their URL and apache will happily serve it up. :(
> >
> > Is there a directive to prevent this?
> >
> > I would think it should be doable since PHP reads the file
> directly off of
> > disk via a command like this and isn't really served perse:
> >
> > require_once ROOTPATH.'/includes/functions/foo.inc.php';
> >
> > Anyone? Anyone? Beuller? Beuller?
>
>
>
> Order allow,deny
> Deny from all
>
>

Brilliant! Thanks Rob.

Here is the final that I went with (turns out I had to mind the
/includes/js directory or all my jQuery stuff STB, so that's why I call
each directory out like that):

developer@myvm:/etc/apache2/sites-enabled$ tail -n20 000-default

# [dv] added 2010-04-01 to prevent serving include files and such

Order allow,deny
Deny from all


Order allow,deny
Deny from all


Order allow,deny
Deny from all


Order allow,deny
Deny from all



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php