Website security, preventing access



  • I've inherited a project from an incompetent predecessor (as some of you may know from your help with SQL injection). To access the database through php they followed great advice, the moved the the password and username off of the page that it is accessed on in an include file. Which is all good and well but they did not move it off the accessable server, as in you can get it to display in plain text by going to www.domainName.com/include/first.inc (domainName is not the real name obviously) and it quiet nicely has the password for the database up there.

     There are too many pages pointing to that inc file to change all of them, is there a way I can prevent access to that entire folder? Ofcourse the webpages will still need to access it.



  • This is less PHP and more Apache / IIS administration. The problem is that preventing access to that folder may prevent PHP from accessing that file, which would defeat the purpose.

    Your best bet is to move the file such that it is not in a web-accessible directory. If you think it's not a good idea (due to *so* many files pointing to that file) you could set up a secondary indirection -- keep that file that's pointed to by so many files, but move the username/password to a non- web-accessible file. The original file would then require the non- web-accessible file. Yes, it's a hack, but it would solve your problem.

     

    Actually, depending on your setup it may be best to just drop the username/password altogether and only allow access to your database from your webserver. I know MySQL and SQL Server are capable of doing exactly that. I'm not 100% certain about Oracle, but I assume so.



  • <Files ~ "\.inc$">
      Order deny, allow
      Deny from all
    </Files> 

    Your mileage may vary. Blocks access through the web server to any URL whose corresponding file ends in .inc.  PHP's include and require functions should still be able to access them through the filesystem.



  • If your using IIS, check out URLScan as it will do the same thing as the Apache sample.  I think it is part of the IIS Lockdown toolset.



  • @Whiskey Tango Foxtrot? Over. said:

    Actually, depending on your setup it may be best to just drop the username/password altogether and only allow access to your database from your webserver. I know MySQL and SQL Server are capable of doing exactly that. I'm not 100% certain about Oracle, but I assume so.

    Allowing access only from your webserver is generaly a good idea. Dropping the authentication isnt good practice though imho; You dont want somebody to have full DB access if you webserver is somehow compromised.

    I generaly setup 2 user accounts for websites; One user account which has only READ rights on the applicable DB tables, and one who can also MODIFY data (but not DROP tables) for CMS features.



  • can I put the:

    <Files ~ "\.inc$">
      Order deny, allow
      Deny from all
    </Files> 

    in the htaccess?



  • I don't have much access to the server because we're using www.awardspace.com to host it (I wouldn't recommend it, doesn't even allow servlets).

     

    Note: Why do  Ihave about a minute to edit my posts? I turn around and I cannot edit them anymore?



  • I recommend using a quick find in files to change all the .inc to .inc.php so it gets parsed when you try to open it. Sounds like the only sollution you have with that limited access to the server.



  • @malfist said:

    can I put the:

    <Files ~ "\.inc$">
      Order deny, allow
      Deny from all
    </Files> 

    in the htaccess?

    Yes.  Here's the documentation, which lists what contexts a <Files> block is allowed in.



  • Throws Error 500, cannot change my file permisions with awardspace for some reason (except though upload and FTP manager and I can't install an FTP manager on the school computers). I can only set it to 755 if I upload but windows will not let me save it as .htaccess, stupid stupid windows. Just wait until I get to my home computer with Ubuntu!



  • @malfist said:

    windows will not let me save it as .htaccess, stupid stupid windows. Just wait until I get to my home computer with Ubuntu!

    Use your shell and use either [b] edit[/b] or create the file under another filename and use [b]mv[/b] to rename it to .htaccess



  • @kroesjnov said:

    @malfist said:

    windows will not let me save it as .htaccess, stupid stupid windows. Just wait until I get to my home computer with Ubuntu!

    Use your shell and use either [b] edit[/b] or create the file under another filename and use [b]mv[/b] to rename it to .htaccess

    My trick is to create it with my FTP client. You can't CREATE such a file in windows, but if the file is already there, it will happily display it.



  • Now I have the notepad icon just floating with no name beneith it. Thanks, it should work now.



  • Still throwing 500 error

    Permissions are: -rwxr-xr-x



  • 500 Internal Server Error that only appears when there's an .htaccess file almost invariably means there's a syntax error in the htaccess file somewhere.  Paste the file, exactly as it appears, to a post here.

    My file up there (which you may have copy and pasted) wasn't tested... I put a space between "deny," and "allow", which isn't actually allowed there.  It treats "deny,allow" as one word.  Remove the space.
     



  • RemoveHandler .htm .html
    DirectoryIndex index.html index.php index.html.var
    <Files ~ ".inc$">
      Order deny, allow
      Deny from all
    </Files>



  • RemoveHandler .htm .html <-- pardon me?  Does your host do something weird with "plain" HTML files?

    Anyways, I see you did just copy and paste my config... I apologize for giving you bad code to copy and paste.  Try this:

    <Files ~ "\.inc$">
      Order deny,allow
      Deny from all
    </Files>

    (Note the lack of space between deny and allow.) 



  • I didn't add that line, it was already there, either my partner or the host put it in. The other line I did add so it would parse the index.php as the index of the folder (there was no index.html) Thanks, I'll check it tomorrow.



  • I<FONT face="Times New Roman" size=3>t works, thank you for your help.</FONT>


Log in to reply