473,385 Members | 1,647 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > php > questions > directory security question

Join Bytes to post your question to a community of 473,385 software developers and data experts.

directory security question

This is a PHP question that came up while working with SquirrelMail.
I read an installation procedure that suggested moving several
directories out of web space. Two of them make sense, but the third
directory, houses configuration options in php files. If the web server
is properly optioned to serve .php files (by executing php and serving
the result), is there any reason to place this write protected directory
outside of web space? There is no way for someone to see anything
inside "<?php" and "?>" right?

Thanks,
Bill
Apr 11 '06 #1
3 1265
>This is a PHP question that came up while working with SquirrelMail.
I read an installation procedure that suggested moving several
directories out of web space. Two of them make sense, but the third
directory, houses configuration options in php files. If the web server
is properly optioned to serve .php files (by executing php and serving
the result), is there any reason to place this write protected directory
outside of web space? There is no way for someone to see anything
inside "<?php" and "?>" right?


True if PHP is correctly configured and working, but it can happen if:

(1) You lose the Apache directives that cause it to treat .php files
as PHP (say, during an upgrade of Apache).
(2) The PHP extension shared library gets deleted after a messy power
brownout crash and subsequent fsck, and Apache can't load PHP.
or
(3) Briefly during an upgrade of PHP.

You really ought to shut down Apache during upgrades of Apache or PHP
but sometimes admins forget.

"The files are secure if PHP is working" is less secure than "The
files are secure if PHP is working (inside PHP section) and the
files are secure if PHP is not working (outside document tree)".

Gordon L. Burditt
Apr 11 '06 #2
The odds of one of the scenarios mentioned AND someone trying to
compromise the options at the same time, seem pretty low. Couple that
with the fact that the config files aren't holding anything too risky,
and it sounds like keeping the config directory in web space outweighs
editing every file that reads them (now and with every update).

Thanks,
Bill
Gordon Burditt wrote:
This is a PHP question that came up while working with SquirrelMail.
I read an installation procedure that suggested moving several
directories out of web space. Two of them make sense, but the third
directory, houses configuration options in php files. If the web server
is properly optioned to serve .php files (by executing php and serving
the result), is there any reason to place this write protected directory
outside of web space?

There is no way for someone to see anything
inside "<?php" and "?>" right?


True if PHP is correctly configured and working, but it can happen if:

(1) You lose the Apache directives that cause it to treat .php files
as PHP (say, during an upgrade of Apache).
(2) The PHP extension shared library gets deleted after a messy power
brownout crash and subsequent fsck, and Apache can't load PHP.
or
(3) Briefly during an upgrade of PHP.

You really ought to shut down Apache during upgrades of Apache or PHP
but sometimes admins forget.

"The files are secure if PHP is working" is less secure than "The
files are secure if PHP is working (inside PHP section) and the
files are secure if PHP is not working (outside document tree)".

Gordon L. Burditt

Apr 12 '06 #3
You could be unlucky and have googlebot cache the page at an
inoppurtune moment.

Apr 12 '06 #4
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

6
Launching Directory Properties and UserProfile Properties from C#
by: JerryP | last post by:
Hello, is there a way to launch the property dialogue for a directory from my c# app ? I would also like to launch the User Account Properties from Active Directory Users and Computers, and the...
C# / C Sharp
4
Forms Authentication +Active Directory +Roles
by: Marty Underwood | last post by:
Okay the subject line explains a scenario I just had to tackle but I am looking for a better way. The current way: 1) Use forms authentication. 2) Query Active Directory and bind to a user...
ASP.NET
1
Virtual directory error: "directory does not exist or is not accessible because of security settings"
by: Dave | last post by:
I am getting te following error in a ASP.Net app that is running on Win XP Pro (SP2): Server cannot access application directory 'C:\Documents and Settings\dave\My Documents\My Visual Studio...
ASP.NET
2
Server cannot access application directory D:\xxx. The directorydoes not exist or is not accessible because of security settings.
by: Matthias Wohlmann | last post by:
Hi, I'm getting the following error when trying to start my application using Internet Explorer: "Server cannot access application directory D:\xxx. The directory does not exist or is not...
ASP.NET
8
web.config in separte directory
by: theWizard1 | last post by:
Using Asp.NET 1.1, and C#. I have a directory for the website, and a directory under it named Secure. I have a web.config in each of the above directories. The web.config in the Secure...
ASP.NET
1
recursively change permissions of a directory
by: Aek | last post by:
What is the best way to recursively change the permissions of the directory we are installing into? Is there a nice way to do this in C# ..NET? We are using an MSI installer and will need to add...
C# / C Sharp
18
Active Directory User Name from Logon Name
by: Arthur | last post by:
Hi All, I would like to get the name of the user given their networkID, is this something Active Directory would be useful for?(For intranet users) If so, can you please point me to some sample...
C# / C Sharp
18
Sun Java System Directory Server Authentication
by: troywalker | last post by:
I am new to LDAP and Directory Services, and I have a project that requires me to authenticate users against a Sun Java System Directory Server in order to access the application. I have found...
C# / C Sharp
3
Querying Active Directory Application Mode (ADAM)...
by: Brian McCullough | last post by:
Hello, I am trying to query ADAM using the ActiveDirectoryMembershipProvider in my ASP.NET 2.0 application, but have been unsuccessful. I have followed the steps in these blog posts, but still...
ASP.NET
1
Forms Authentication for single directory
by: Sean | last post by:
Hi, I've taken over a website, which has an admin section that is currently open. I added Forms Authentication to the admin directory with the using the location section in web.config: ...
ASP.NET
0
Wordpress or something else?
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
Content Management Systems
0
isladogs
Access Europe: Command bars, the Access Shortcut Tool and a simple Audit Log - Wed 3 April
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...
General
0
Easy Steps to Fix "Canon Printer Won't Connect to WiFi Network"
by: taylorcarr | last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
General
0
Basic Javascript concepts
by: aa123db | last post by:
Variable and constants Use var or let for variables and const fror constants. Var foo ='bar'; Let foo ='bar';const baz ='bar'; Functions function $name$ ($parameters$) { } ...
Javascript
0
Merging data from multiple Excel files
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
Data Management
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!