|
|
| |
Terms of Agreement:
By using this article, you agree to the following terms...
1) You may use
this article in your own programs (and may compile it into a program and distribute it in compiled format for languages that allow it) freely and with no charge.
2) You MAY NOT redistribute this article (for example to a web site) without written permission from the original author. Failure to do so is a violation of copyright laws.
3) You may link to this article from another website, but ONLY if it is not wrapped in a frame.
4) You will abide by any additional copyright restrictions which the author may have placed in the article or article's description. | |
An Important Note About .inc Files
This is just a quick note about using include files with the ".inc" file extension. This doesn't apply to JUST PHP, but the web in general. I am posting this here in the PHP section because that is the server side language that I use, and I have noticed an abundance of ".inc" files in various projects throughout PSC.
For those who don't know, ".inc" files are nothing more than a file that generally contains information that you would need to access from various scripts on a site. Most often, they are a time saving way of storing certain variables. A primary example is Login/Passwords for database connections. This way, if you change the login/pass for the database, you only need to update one file.
The problem is, however, that the contents of ".inc" can be viewed in a browser by simply typing in the path. So anyone who knew the path of your include file could easily find out information that you probably didn't want them to know. Now, to those who aren't all that concerned with security, this may not seem a big issue. However, for the more paranoid among us, it is an issue.
I'm not sure if this applies to all platforms. The server I use runs Apache on Slackware, and the SysOp is a pretty security conscious person. Also, it could vary well be just an IE6 thing, as I have not had a chance to test this in any other browser. However, I thought I would make the uninformed among you aware of this.
The best way to get around this is to simply change the file extension to ".php" (or whatever language your using). It's that easy. Don't let your information be compromised.
| |
Other 4 submission(s) by this author
|
|
| |
| Report Bad Submission |
|
| |
| Your Vote! |
|
See Voting Log |
| |
| Other User Comments |
10/10/2002 1:12:16 AM:Dustin R Davis
I never use .inc extention, you can get
the same result with php extention. or
asp for that matter or whatever else.
Personally i would think this should be
common sense among web developers. But,
i guess most of PSC coders are "coding
for fun" and not for proffesional
status. I my self am a web developer
and that is my job, so I am a little
cautios about what i do. good point to
bring up though.
|
10/10/2002 2:40:55 AM:Darryl Porter
Yes, this is something that a lot of
people do and is not address. This is a
huge security risk. Thanks for putting
it out there. You can see the .inc file
using any browser on any system--Don't
take my word on this, but I've never
had a problem acessing one if I knew
the path to it.
|
10/10/2002 8:40:17 AM:
you can also configure the server to
parse inc files instead.(just like asp
and php pages) This is a common
security setting.
|
10/10/2002 3:02:45 PM:Charles Chadwick
I agree with you completely, Dustin. A
lot of people are just coding for fun,
which is fine, but they should be aware
none the less. After all, I started out
coding for fun, and it turned into an
occupation.
|
10/10/2002 3:12:31 PM:Rob t.H.
I agree with you all, I just call those
functions foobar.inc.php. And if I can
I place files with passwords out of my
webroot so they can't be accessed using
a web browser. Another tip is to
surround your script with <!-- script
--> to make the code invisible in the
browser in case of an PHP crash
|
10/11/2002 11:20:08 AM:
asd
|
10/11/2002 11:23:23 AM:
Same here! Had to keep the files with
passwords too! Found out that anybody
can dl the php files just by creatin a
dummy html file(even in their HDs) with
a link to the php file, when clicked
the browser will show the open or save
dialog box...
|
10/11/2002 5:24:50 PM:
.inc files are so risky. 'cause is some
easily can read what content a .inc
file.!!! i am using .php or .inc.php
everytime.. i have get a site's some
password that needed for something ...
:)
|
10/12/2002 5:31:32 AM:Merlin Corey
... then again, password and such
should be saved in a database of some
kind (such as mySQL) anyway... If you
have a file extension that you use that
isn't being interpreted, you should add
it as the one person said... Any file
on any website that does not have a
pre-set interpreter is viewable by any
website as plain text (yes, even
|
10/12/2002 5:33:28 AM:Merlin Corey
[continuing] yes, even ".bla" files)...
However, the ".inc" file is not really
that insecure - it is "security through
obscurity"... No one should know the
full filename anyway (this doesn't
apply if you have apache set to display
directory contents when no index is
found)... Downloading an interpreted
file through HTTP does *not* give you
the uninterpreted version...
|
10/12/2002 5:34:36 AM:Merlin Corey
"viewable by any website" = "viewable
by any webbrowser"
|
10/12/2002 11:55:38 AM:
I kindda do it from the other way
round, ie, "inc.config.php" and inside
that, have a bit of code, where if a
cirtain var does'nt exist, it'll echo
something loads of times. So, when
including, it'll be something
like
<? require
"inc.config.php?There_is_no_way_in_the_w
orld_ill_use_this_var=123654789";
?>
and if it's missing, then all
you'll get is spam.
|
10/14/2002 3:18:58 AM:magikh0e
You could also put the .inc outside of
the webserver path.. Or if using
apapche make a .htaccess for the dir
they are in
|
10/14/2002 10:54:05 AM:VPUCEO
Since I have my server configured to
interpret '.inc' as PHP, i put this
code at the top of every
include:
if(eregi(
|
10/14/2002 10:55:44 AM:VPUCEO
Since I have my server configured to
interpret '.inc' as PHP, i put this
code at the top of every
include:
if(eregi([INC FILE
NAME],$REQUEST_URI)) {
die();
}
With this code, you can
include it but you can't access it
directly. Since the user is accessing
the include thru another page, it
doesn't trigger the above code. it only
triggers if the user tries to open the
INC file directly.
Hope this helps
|
10/14/2002 1:04:35 PM:Martin C. Conniffe
It's about time someone aside from me
noticed that :) I have for a while now
found a way around it by doing two
things. On MY sites, I have a dir
called srv outside the public_html dir
so noone outside the server can access
it, and for my users who may not care
as much, I have my apache setup to not
allow anyone to get .inc files (so if a
user _wants_ to make an inc file
available to the general public, they
have to call it .inc.txt). I never
considered changing them to .php but
that does work just as well :)
|
10/14/2002 1:44:33 PM:TheGeek
So what if I do all this, but I don't
have access to the server root (Apache
running on a Linux server)? I can't
really stick my .inc files in
/usr/dude. I tried creating a dummy
folder named similar to the cgi_bin
dir.... The apache config didn't like
this. Any ideas on using .htaccess?
I've never researched it.... thnx
|
10/23/2002 3:46:51 PM:Tommy
I use .inc files all the time, many of
which do store very sensitive
data.
I've gotten around the
security issue by creating a folder,
"inc", and placing the files there.
Inside that folder, there's a file,
.htaccess, which contains solely the
line "deny from all". This allow
scripts to access the files, but not
visitors.
Enjoy!
|
10/24/2002 3:35:23 PM:
I am running IIS5 and have the same
issue. I have got around it though by
putting the files in a seperate "INC"
directory and removing permission to
the IUSR & IWAM (IIS anonymous
accounts)... apparently IIS uses the
System account to read the files.
|
10/24/2002 6:07:50 PM:
or deny listings for an /inc directory
so if someone does try to view the
files, they cannot get to the
directory.. You can do this with
apache..
|
10/26/2002 3:02:07 PM:
Maybe you should try some Exploiters on
your sites.
|
10/28/2002 5:29:03 AM:
Oh please thats not a security risk if
dick wads configure their .htaccess
properly they can restrict access to
all *.inc files making it impossible
for people to view them.
|
10/28/2002 5:08:21 PM:galantz
Yeah, well there's a lot of "d#ck
w#ds", goto your favorite search engine
and search for "ODBC conn.inc", you
will literally see hundreds of hits.
For several years, I would make money
by finding people with database
connections to their databases that
contain private information (yes
sometimes customer credit card numbers)
and would contact their IT for
consulation fees... I think I cleared
nearly 20,000USD with this "oversite"
of "d#ck w#ds" so instead of "bitching"
learn to milk it!!! :-)
|
11/1/2002 10:19:40 AM:James Mistry
There is one problem though - you can
use leeching software like GoZilla
(yes, I know it's a download manager as
well) to download PHP files.
|
|
| Add Your Feedback! |
Note:Not only will your feedback be posted, but an email will be sent to the code's author in your name.
NOTICE: The author of this article has been kind enough to share it with you. If you have a criticism, please state it politely or it will be deleted.
For feedback not related to this particular article, please click here.
|
|
