[Phplogcon-dev] not allow certain files to be access
Brian Shea
bgshea at gmail.com
Wed Dec 7 16:58:00 CET 2005
Ah, that would be a problem. Easily fixed with a config setting or checking
the os environment.
Nor do i, buy why let someone else find it and exploit it if one does
exist!!!
This is more for the type of files i use in 1.2.4_bgs where all the Auth is
done in index.php and each page is loaded by an include statement.
I'm just so use to having them there that i feel better with them.
On 12/7/05, Michael Meckelein <mmeckelein at hq.adiscon.com> wrote:
>
> Brian,
>
> This approach works only in a linux environment. Note that Windows uses
> \ instead linux's / for directory browsing.
>
> E.g. file in
> - windows: c:\webserver\phplogcon\config.php
> - linux: /var/www/phplogcon/config.php
>
> Furthermore, I have to admit that I am not aware of an actually security
> issue by accessing those file directly via url. Of course it is not
> intended to call files like config.php directly. To prohibit accessing
> files directly which are not intended to access directly is of course a
> good security concept. But maybe I oversee a security issue with the
> current (without your check) approach?
>
> Michael
>
> > -----Original Message-----
> > From: phplogcon-dev-bounces at lists.adiscon.com [mailto:phplogcon-dev-
> > bounces at lists.adiscon.com] On Behalf Of Brian Shea
> > Sent: Wednesday, December 07, 2005 6:36 AM
> > To: phplogcon-dev at lists.adiscon.com
> > Subject: Re: [Phplogcon-dev] not allow certain files to be access
> >
> > Michael, here is the code section that will disallow access to php
> files
> > from the URL.
> >
> > It basically looks at the file name in the $_SERVER[script_name] to
> see if
> > it mathces itself.
> >
> > // BGS -- do not allow access from URL
> > $filename = substr(__FILE__, strrpos( __FILE__, "/" ));
> > $requestname = substr($_SERVER['SCRIPT_NAME'], strrpos(
> > $_SERVER['SCRIPT_NAME'], "/" ));
> >
> > if( $filename == $requestname )
> > {
> > session_unset();
> > header("Location: ../index.php");
> > exit;
> > }
> > // BGS end
> >
> >
> >
> > On 12/6/05, Brian Shea <bgshea at gmail.com> wrote:
> > >
> > > The code is just below the GNU license marked with
> > >
> > > // BGS --
> > >
> > > // BGS end
> > >
> > > the first section is the trailing '/' (slash) removal, the second
> > section
> > > is the diss allow. I dont have the code in front of me to look at.
> > >
> > >
> > > On 12/6/05, Michael Meckelein <mmeckelein at hq.adiscon.com> wrote:
> > > >
> > > > Hi Brian,
> > > >
> > > > I need your help. Please can you point me to where I can find the
> > > > following modification?
> > > >
> > > > > added php code to not allow certain files to be access by the
> > > > > URL!!! esp. include.php and config.php
> > > >
> > > > Thank you.
> > > >
> > > > Best regards,
> > > > Michael
> > > > _______________________________________________
> > > > Phplogcon-dev mailing list
> > > > http://lists.adiscon.net/mailman/listinfo/phplogcon-dev
> > > >
> > >
> > >
> > _______________________________________________
> > Phplogcon-dev mailing list
> > http://lists.adiscon.net/mailman/listinfo/phplogcon-dev
> _______________________________________________
> Phplogcon-dev mailing list
> http://lists.adiscon.net/mailman/listinfo/phplogcon-dev
>
More information about the Phplogcon-dev
mailing list