On Tue, October 3, 2006 5:11 pm, Google Kreme wrote: > As I understand it then, the .ht* is no less secure because, for all > intents and purposes, it is 'outside' the webtree since Apache will > never display it, and you need some other sort of access to the > machine (ftp, ssh, etc) to access it. As I understand it, you can't > even access .ht* files via webDAV. Until somebody installs a new Apache, and doesn't merge in the correct .ht* settings. Or Apache gets started by hand in a panic from a crashed server and reads the wrong httpd.conf file with no .ht* settings to protect your include files. Or somebody takes out the .ht* settings, thinking they are just cruft. Or the .htaccess file you used to protect your PHP files doesn't get put into the tarball with: tar cf tarball.tar * so when you untar it on the new box to install it, your protection is *GONE* Or somebody turns .ht* OFF in httpd.conf to wring out more performance, but your .ht* access controls are in .htaccess in your directories. These are only *some* of the rather obvious ways in which having the files in the webtree but protected by a configuration to Apache can go wrong. And these are *ALL* common mistakes that anybody could make without too much of a stretch in the imagination of "what could go wrong" In fact, *MOST* of them are things I have actually seen happen... [Or, to be more precise, things I was dumb enough to do :-)] If the files aren't in the webtree, somebody has to write a script of some kind to expose them -- which is still possible, but you have to work a little harder at it, with little or no concept of Security, to do that. And *that* happens sometimes, but then they usually write such an appallingly bad script that /etc/passwd and everything else on the entire machine is exposed, which will probably get caught sooner than a not-quite-right configured Apache that's working "just fine" Or somebody could come along and ADD a vhost to expose that directory, effectively putting it IN the webtree... But, you'd have to work pretty hard at being smart enough to do a vhost and dumb enough to expose your include files like that. It's up to you; But I believe that the .ht* route is too fraught with potential common mistakes to undo the security. -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
