Apache: security against the LFI
Hi,
I search and try a lot of thing, but nothing works. My website is in the /var/www/web directory. If I have a php file like this on my website: Code:
<?php But in the configuration file of Apache, I have this: Code:
DocumentRoot /var/www/web/ So my question is: How to "block" my website into /var/www/web and disallow php to go in parent directory? Thank all for your response ! |
You've posted the section of httpd.conf that deals with /var/www and
/var/www/web. Can you post the section that configures the / directory? |
Thank's for your response.
This is my config file: Code:
<VirtualHost *:80> Thank's for help ! |
PHP is a server side scripting language. Its code runs completely on the server and thus is not bound by the restrictions in your Apache conf (after all it's a program on the server trying to request the passwd file). This is why it is very important to make sure that PHP and other such applications are coded correctly so that stuff like this cannot happen. You might want to look at some of the safe_mode restrictions in the php.ini file and check what options you have to enhance security. Unfortunately I have not coded PHP since the 4.3 days, so I'm out of date with what the current suggested best practices for this are.
|
Ok, thank's a lot. I was wrong, I searched in Apache, but it's in PHP. The option "open_basedir" in php.ini works very good. More information here.
Many thank's !!! |
All times are GMT -5. The time now is 10:34 AM. |