 |
 |
|
dink
Not sure if this is the right section for this, but I'm pretty sure it will be moved if there is a better place.
 Wandering around in server logs yesterday when I saw an entry that chilled my shit. Somebody called for my config.inc file and it returned a code 200. That means some joker has my information, right? Now, config.inc is used on this site to access the database (mysql) for this site. It happens that the config data is used by two more sites that use the same db. So, three websites that use this db to produce dynamic pages have been (potentially) compromised. I'll have to go in and change the password for this db, then make a new config file, then change all of the pages on the three sites that use this.....yadda yadda..... Getting bored just typing this stuff. Imagine your pain reading it. So how do I protect myself from a similar problem in the future? My first thought was to name the config something like endlessJunk. phpor shitless.js. Not sure if that will provide the protection I need.What do you suggest? perkiset
There are several ideas, but an immediate one would be to trap it in
Apache... if anyone ever calls for config <i>anything</i> rewrite the URL to a Fish You page. EG:RewriteEngine on RewriteCond %{REQUEST_URI} config RewriteRule ^(.*)$ http://http://goatse.ca/ <> <i>IMPORTANT NOTE - I MEAN REALLY IMPORTANT - that URL is a JOKE and is NSFW</i> there's other ways in apache's .htaccess with the Directory directives, but I am not as familiar with that. Also, you could simply include config.inc from another directory that is readable by thePHPinterpreter, but not in a place where it can be accessed by the outside world. A simple example:<? php$includeDir = '/www/privateDirUnavailableTo Apache';require_once("$includeDir/config.inc"); Now, even though the PHPfile can see it, it cannot be called - assuming that the DocumentRoot for <this website> is something like /www/mySites/thisSiteGood luck - that's a DRAG! My personal thing is to mod_rewrite EVERY request into a phphandler - for example, main.php- and everything else becomes a GET parameter that I either understand how to handle ot treat as a hack attempt./p dink
quote Good luck - that's a DRAG! Thanks for that. You've spun my gears on the solution. |
Thread Categories
 |
|
Best of The Cache Home |
|
|
Search The Cache |
- Ajax
- Apache & mod_rewrite
- BlackHat SEO & Web Stuff
- C/++/#, Pascal etc.
- Database Stuff
- General & Non-Technical Discussion
- General programming, learning to code
- Javascript Discussions & Code
- Linux Related
- Mac, iPhone & OS-X Stuff
- Miscellaneous
- MS Windows Related
- PERL & Python Related
- PHP: Questions & Discussion
- PHP: Techniques, Classes & Examples
- Regular Expressions
- Uncategorized Threads