LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 06-11-2010, 05:34 PM   #1
gagou7
LQ Newbie
 
Registered: Sep 2009
Distribution: Ubuntu 9.04 / Debian 5.0 / Backtrack 3
Posts: 27

Rep: Reputation: 0
Apache: security against the LFI


Hi,

I search and try a lot of thing, but nothing works. My website is in the /var/www/web directory. If I have a php file like this on my website:
Code:
<?php
include('$_GET[page]');
?>
we can see the passwd file when I do index.php?page=../../../etc/passwd

But in the configuration file of Apache, I have this:

Code:
        DocumentRoot /var/www/web/
        <Directory /var/www/>
                Options None
                Order Deny,Allow
                AllowOverride None
                Deny from all
        </Directory>
        <Directory /var/www/web/>
                Options -Includes -Indexes -FollowSymLinks -ExecCGI MultiViews
                Order Allow,Deny
                AllowOverride None
                Allow from all
        </Directory>
Why can I go to parent directory when I configure "Deny from all" for /var/www?

So my question is: How to "block" my website into /var/www/web and disallow php to go in parent directory?

Thank all for your response !

Last edited by gagou7; 06-12-2010 at 05:56 PM.
 
Old 06-12-2010, 05:53 AM   #2
carltm
Member
 
Registered: Jan 2007
Location: Canton, MI
Distribution: CentOS, SuSE, Red Hat, Debian, etc.
Posts: 703

Rep: Reputation: 97
You've posted the section of httpd.conf that deals with /var/www and
/var/www/web. Can you post the section that configures the / directory?
 
Old 06-12-2010, 02:34 PM   #3
gagou7
LQ Newbie
 
Registered: Sep 2009
Distribution: Ubuntu 9.04 / Debian 5.0 / Backtrack 3
Posts: 27

Original Poster
Rep: Reputation: 0
Thank's for your response.

This is my config file:

Code:
<VirtualHost *:80>

        DocumentRoot /var/www/web/

        <Directory />
                Options None
                Order Deny,Allow
                AllowOverride None
                Deny from all
        </Directory>

        <Directory /var/>
                Options None
                Order Deny,Allow
                AllowOverride None
                Deny from all
        </Directory>

        <Directory /var/www/>
                Options None
                Order Deny,Allow
                AllowOverride None
                Deny from all
        </Directory>

        <Directory /var/www/web/>
                Options -Includes -Indexes -FollowSymLinks -ExecCGI MultiViews
                Order Allow,Deny
                AllowOverride None
                Allow from all
        </Directory>

        ErrorLog /var/log/apache2/www.----.ch-error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog /var/log/apache2/www.---.ch-access.log combined

        Alias /doc/ "/usr/share/doc/"
        <Directory "/usr/share/doc/">
                Options Indexes MultiViews FollowSymLinks
                AllowOverride None
                Order deny,allow
                Deny from all
                Allow from 127.0.0.0/255.0.0.0 ::1/128
        </Directory>
        AccessFileName .httpdoverride
        <Files ~ "^\.ht">
                Order Allow,Deny
                Deny from all
                Satisfy All
        </Files>
</VirtualHost>
I think the solution is in this config file but I don't know...maybe it's an option in php.ini?

Thank's for help !

Last edited by gagou7; 06-12-2010 at 02:37 PM.
 
Old 06-12-2010, 02:43 PM   #4
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,284

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
PHP is a server side scripting language. Its code runs completely on the server and thus is not bound by the restrictions in your Apache conf (after all it's a program on the server trying to request the passwd file). This is why it is very important to make sure that PHP and other such applications are coded correctly so that stuff like this cannot happen. You might want to look at some of the safe_mode restrictions in the php.ini file and check what options you have to enhance security. Unfortunately I have not coded PHP since the 4.3 days, so I'm out of date with what the current suggested best practices for this are.
 
Old 06-12-2010, 05:55 PM   #5
gagou7
LQ Newbie
 
Registered: Sep 2009
Distribution: Ubuntu 9.04 / Debian 5.0 / Backtrack 3
Posts: 27

Original Poster
Rep: Reputation: 0
Ok, thank's a lot. I was wrong, I searched in Apache, but it's in PHP. The option "open_basedir" in php.ini works very good. More information here.

Many thank's !!!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Apache Security stu_mueller Linux - Software 2 06-05-2008 04:06 AM
Apache security help sridhar11 Linux - Software 2 03-06-2007 10:05 AM
Apache security ohade Mandriva 1 01-21-2006 05:24 PM
Apache security oldator1940 Linux - Security 5 10-20-2005 09:28 PM
apache security depaul Linux - Security 5 12-10-2003 12:06 PM


All times are GMT -5. The time now is 04:55 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration