LinuxQuestions.org - [SOLVED] Apache: security against the LFI

- Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)

- - Apache: security against the LFI (https://www.linuxquestions.org/questions/linux-newbie-8/apache-security-against-the-lfi-813626/)

Apache: security against the LFI

Hi,

I search and try a lot of thing, but nothing works. My website is in the /var/www/web directory. If I have a php file like this on my website:

Code:

<?php

include('$_GET[page]');

?>

we can see the passwd file when I do index.php?page=../../../etc/passwd

But in the configuration file of Apache, I have this:

Code:

        DocumentRoot /var/www/web/

        <Directory /var/www/>

                Options None

                Order Deny,Allow

                AllowOverride None

                Deny from all

        </Directory>

        <Directory /var/www/web/>

                Options -Includes -Indexes -FollowSymLinks -ExecCGI MultiViews

                Order Allow,Deny

                AllowOverride None

                Allow from all

        </Directory>

Why can I go to parent directory when I configure "Deny from all" for /var/www?

So my question is: How to "block" my website into /var/www/web and disallow php to go in parent directory?

Thank all for your response !

You've posted the section of httpd.conf that deals with /var/www and
/var/www/web. Can you post the section that configures the / directory?

Thank's for your response.

This is my config file:

Code:

<VirtualHost *:80>



        DocumentRoot /var/www/web/



        <Directory />

                Options None

                Order Deny,Allow

                AllowOverride None

                Deny from all

        </Directory>



        <Directory /var/>

                Options None

                Order Deny,Allow

                AllowOverride None

                Deny from all

        </Directory>



        <Directory /var/www/>

                Options None

                Order Deny,Allow

                AllowOverride None

                Deny from all

        </Directory>



        <Directory /var/www/web/>

                Options -Includes -Indexes -FollowSymLinks -ExecCGI MultiViews

                Order Allow,Deny

                AllowOverride None

                Allow from all

        </Directory>



        ErrorLog /var/log/apache2/www.----.ch-error.log



        # Possible values include: debug, info, notice, warn, error, crit,

        # alert, emerg.

        LogLevel warn



        CustomLog /var/log/apache2/www.---.ch-access.log combined



        Alias /doc/ "/usr/share/doc/"

        <Directory "/usr/share/doc/">

                Options Indexes MultiViews FollowSymLinks

                AllowOverride None

                Order deny,allow

                Deny from all

                Allow from 127.0.0.0/255.0.0.0 ::1/128

        </Directory>

        AccessFileName .httpdoverride

        <Files ~ "^\.ht">

                Order Allow,Deny

                Deny from all

                Satisfy All

        </Files>

</VirtualHost>

I think the solution is in this config file but I don't know...maybe it's an option in php.ini?

Thank's for help !

PHP is a server side scripting language. Its code runs completely on the server and thus is not bound by the restrictions in your Apache conf (after all it's a program on the server trying to request the passwd file). This is why it is very important to make sure that PHP and other such applications are coded correctly so that stuff like this cannot happen. You might want to look at some of the safe_mode restrictions in the php.ini file and check what options you have to enhance security. Unfortunately I have not coded PHP since the 4.3 days, so I'm out of date with what the current suggested best practices for this are.

Ok, thank's a lot. I was wrong, I searched in Apache, but it's in PHP. The option "open_basedir" in php.ini works very good. More information here.

Many thank's !!!