Sensitive Files

From SecurePHPWiki
Jump to: navigation, search

Common File Names

Placing your admin section in an /admin/ directory makes your application an easier target for cgi scanners. See Nikito

Also, using the standard names like .htpasswd makes scanning for these files easier (WACT).

Storing Sensitive Information

Store files which contain sensitive information, such as files containing database information, outside the web root. If using the ".inc" file extension convention, be sure that your web server either denies access to such files or parses those files as PHP, otherwise the file will be displayed as plaintext in the browser if a user views it.

Beware that your server denies access to file.inc?var=value and not just \.inc$. This can be done by inserting the folowing code into your .htaccess or server config (assuming your server is Apache):

<Location ~ "/[^ ](?=\.inc(\?[^ ]*)?)/">
   Options None
   Order Allow, Deny
   Deny from All
   AllowOverride None
   Satisfy All
</Location>

Revealing Source Code

PHP library files stored in the web root without the PHP extension (i.e. not as a file Apache will pass to the PHP interpreter), or showing PHP source code via the phps extension can compremise sensitive data and reveal targets for attack (WACT). Without source code, attackers are limited to black box probing. This is significantly more difficult, or at least time consuming, than having white box testing with the source code at hand.