On Sat, April 14, 2007 10:47 am, tedd wrote: > At 4:56 PM -0500 4/13/07, Richard Lynch wrote: >>Put the files outside the webtree, and have a PHP script that >> controls >>access and is your gate-keeper. > > Richard: > > How secure is this: I can't answer that question definitely just looking from the outside in... A deadbolt may look secure from the outside, but if it's balsa-wood behind the locked door, that deadbolt ain't worth squat. :-) > http://sperling.com/a/pw > > There are seven files there, namely: > > http://sperling.com/a/pw/.htaccess > http://sperling.com/a/pw/a.php > http://sperling.com/a/pw/b.php > http://sperling.com/a/pw/auth.php > http://sperling.com/a/pw/index.php > http://sperling.com/a/pw/girl.gif <-- not protected. > http://sperling.com/a/pw/girl.jpg <-- protected, but well worth the > effort. > > Are any of these files accessible, even when you know the path? And > by "accessible" I mean can you obtain any information that the files > contain? index.php is also accessible, if I can guess the login, which I did on my first try... a.php is also then accessible. I can then visit b.php and auth.php, which do not seem to generate output. girl.jpg remains in accessible, however, afaict. > For example, if I were to tell people to store their user id and > password in a configuration php file with a known path, would it be > safe? I realize that if the server is breached then nothing is safe, > but barring that -- how safe would that be? Consider the following scenarios: SCENARIO #1 Your webhost is about to go out of business, and you tar up your site in a super big hurry, and slam it into a new server. Whew! You check it out, and it works, and you toddle off to bed exhausted. Turns out, though, that the .htaccess files didn't get into your tarball, because you forgot that you needed to add them explicitly. So a bunch of stuff in your webtree on your shiny new server is wide open. Yes, this has really happened. To me. Fortunately, I had other stuff in .htaccess that made it obvious that something was wrong, and the window of opportunity was short, but there it is. And it wasn't like the world was gonna end or anybody's money was at risk or even anything personal info, really. But still... SCENARIO #2 The server admin (possibly you, possibly not) upgrades Apache, and somehow manages to not install PHP. Or, perhaps, doesn't use the same extensions (.php3 anybody?) for PHP. Or, perhaps, messes up that line and forgets to add the .html you've grown accustomed to being passed through PHP. Any one of these can suddenly expose your password to the whole Internet. These are things that should not happen, but have happened, and will happen again, to somebody somewhere. If you put the stuff you want to keep private OUTSIDE the web-tree, and provide a PHP gate-keeper to get to it, you reduce your risk. It's a lot harder to screw up bad enough to configure Apache to start serving up files directly from a "private" directory. I won't say nobody has ever managed to do that. In fact, I'm sure somebody somewhere has managed it with a +FollowSymLinks and then putting a symlink in the web tree out to the private dir, because they didn't know how to work PHP's include_path... But it takes a lot more work to mess that up than a simple common typo. So it's not about whether I can get to the stuff NOW. It's about whether things could EASILY go wrong enough that I could get to the stuff tomorrow. Let's also consider the case of my visiting b.php and auth.php In this small tiny sample application, it's unlikely that either of those do anything "interesting" enough when I visit them out of sequence. However, in a LARGE application, if the user visits a .php file completely out of sequence from any QA process you have ever run, because they are surfing to random .php files to try and "break" your application, what happens? A: PHP code is executed completely out of context, in a manner you have never ever tested at all, much less subjected to any kind of formal QA process. In essence, the visitor is running code that you've never even tried, at least not in that particular environment. As code grows and accretes more and more cruft, and a large complex web application emerges, can you really guarantee that the user running some arbitrary chunk of PHP code out of sequence like that is never ever going to be a problem? Use PHP's include_path and get the include files OUT of your webtree. PS I'm assuming that you intended it to be easy to guess the login for the HTTP Basic Authentication... :-) PPS Nice photo! :-) -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
