[SOLVED] Apache: security against the LFI

gagou7 · 06-11-2010, 05:34 PM

Hi,

I search and try a lot of thing, but nothing works. My website is in the /var/www/web directory. If I have a php file like this on my website:

Code:

<?php
include('$_GET[page]');
?>

we can see the passwd file when I do index.php?page=../../../etc/passwd

But in the configuration file of Apache, I have this:

Code:

        DocumentRoot /var/www/web/
        <Directory /var/www/>
                Options None
                Order Deny,Allow
                AllowOverride None
                Deny from all
        </Directory>
        <Directory /var/www/web/>
                Options -Includes -Indexes -FollowSymLinks -ExecCGI MultiViews
                Order Allow,Deny
                AllowOverride None
                Allow from all
        </Directory>

Why can I go to parent directory when I configure "Deny from all" for /var/www?

So my question is: How to "block" my website into /var/www/web and disallow php to go in parent directory?

Thank all for your response !

carltm · 06-12-2010, 05:53 AM

You've posted the section of httpd.conf that deals with /var/www and
/var/www/web. Can you post the section that configures the / directory?

gagou7 · 06-12-2010, 02:34 PM

Thank's for your response.

This is my config file:

Code:

<VirtualHost *:80>

        DocumentRoot /var/www/web/

        <Directory />
                Options None
                Order Deny,Allow
                AllowOverride None
                Deny from all
        </Directory>

        <Directory /var/>
                Options None
                Order Deny,Allow
                AllowOverride None
                Deny from all
        </Directory>

        <Directory /var/www/>
                Options None
                Order Deny,Allow
                AllowOverride None
                Deny from all
        </Directory>

        <Directory /var/www/web/>
                Options -Includes -Indexes -FollowSymLinks -ExecCGI MultiViews
                Order Allow,Deny
                AllowOverride None
                Allow from all
        </Directory>

        ErrorLog /var/log/apache2/www.----.ch-error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog /var/log/apache2/www.---.ch-access.log combined

        Alias /doc/ "/usr/share/doc/"
        <Directory "/usr/share/doc/">
                Options Indexes MultiViews FollowSymLinks
                AllowOverride None
                Order deny,allow
                Deny from all
                Allow from 127.0.0.0/255.0.0.0 ::1/128
        </Directory>
        AccessFileName .httpdoverride
        <Files ~ "^\.ht">
                Order Allow,Deny
                Deny from all
                Satisfy All
        </Files>
</VirtualHost>

I think the solution is in this config file but I don't know...maybe it's an option in php.ini?

Thank's for help !

btmiller · 06-12-2010, 02:43 PM

PHP is a server side scripting language. Its code runs completely on the server and thus is not bound by the restrictions in your Apache conf (after all it's a program on the server trying to request the passwd file). This is why it is very important to make sure that PHP and other such applications are coded correctly so that stuff like this cannot happen. You might want to look at some of the safe_mode restrictions in the php.ini file and check what options you have to enhance security. Unfortunately I have not coded PHP since the 4.3 days, so I'm out of date with what the current suggested best practices for this are.

gagou7 · 06-12-2010, 05:55 PM

Ok, thank's a lot. I was wrong, I searched in Apache, but it's in PHP. The option "open_basedir" in php.ini works very good. More information here.

Many thank's !!!