Security Issue with "view-source:"

[trmweb]

Yesterday, I was reading Kevin Yank's internet browser tip in the SitePoint.com newsletter #12 about how to view source code. Kevin stated ...

<quote>
By typing "view-source:" followed by a normal URL, you can instruct your browser to display the code for the specified file instead of loading it into the browser window!
</quote>

He also gives the example --
view-source:http://www.sitepoint.com/styles.php

My concerns about security are the MySQL database 'config' files that contain the database name and database password. It appears that these files can be viewed directly with this method if you know what the name might be.

I invite comments regarding this issue or experience in this area. I'm concerned about hackers .

[aspen]

PHP is a server side scripting language. The client side never ever see's it unless it's contained in an HTML file. Well perhaps a rare fluke could happen but its not likely.

So to make sure your included files are secure give them php extensions and make sure their content is enclused by <? ?> and thats all you need to do.

[trmweb]

Thanks for the quick reply!

My concern is with the .inc files that are part of some of the MySQL/PHP setup source code. I tried this 'view-source:' and was able to view the sql setup info ... including the password!

Maybe putting the <? ?> in the .inc will correct the problem. I'll try it.

Thanks again.

[trmweb]

I tried it with the <? ?> and <?php ?> and I was stille able to view the source code. It appears to be the extention .php or .php3 or .phtml that makes the difference.

I wonder if .asp can be viewed this way?

[Hartmann]

Instead of saving them with .inc use *.inc.php

This is so that they are parsed by the server.

[aspen]

what hartmann said

and I'll add to it.

You can also set up your server to treat .inc files as php files - meaning the files will go through the php interpreter before they are sent anywhere.

If you know how to do this great, if not contact your server administrator.

[westmich]

Again, PHP MySQL is outside of my area, but when working with Access databases, I have always stored them above the www root level for security.

Are MySQL databases stored on the www root? Why?

[Son Nguyen]

Yes, you should make an include directory to put all the important include files there and use .htaccess to fetch the include path

About where MySQL stores its data, it's not within the document root (not even within the user's directory)

[Percipient]

View-source isn't any more or less of a security risk that just typing in http://mydomain.com/config.inc and choosing "View Source" in the appropriate menu. Try it with your own config.inc file, and see just how unsecure it's been, even before you discovered view-source.

I discovered something similar to what you did, a few days ago. I switched to a .php file, and made sure the parameters were enclosed in <?PHP ?> tags.

For added security, the config file could also reside in a protected folder with no username and password associated with it. This would mean the file could only be accessed locally, from the server.

[Philip Olson]

Have a look around here (most importantly, the user comments) :

http://phpbuilder.com/tips/item.php?id=66

The easiest way is to name your files something that parses, which it looks like .php does this so : config.php And note that a server can be setup to parse any extension as PHP, even .inc and .foobar

Also consider putting included files outside the web root.

[trmweb]

Thank you all!

I'm getting both an education and an understanding of the issues involved.

So far I understand that the issue isn't with the "view-source:" command, rather it relates to the server processing the code contained between the <% %>.

Since I don't have access to the server. I am planning on looking into using '.htaccess' and seeing how that works. As well as creating a 'protected' folder for my include files. I like the idea of renaming the .inc to .inc.php as well.

I sure appreciate all the good feedback. I'm impressed with this forum!

P.S.

Philip -- thanks for the url. I checked it out and it seems that this exact issue was addressed. Thanks!

[jdulberg]

I have about 20 virtual hosts on my server and all of them have shtml files that look to a directory /includes/ which is aliased (in the srm.conf file) over to a main includes directory under the root dir.

Alias /includes/ /usr/local/etc/httpd/htdocs/includes/

If I change this to a directory above the root dir, I can still view all of my .inc files even if I rename them to .inc.php

These files are just plain text that get included into all of the virtual hosts. There are some php scripts in there too that all of my VH's need to use.

I tried to do the deny *.inc but doing so just made it so the browser can't even include them. So that won't do the trick.

Is there any way that I can make these .inc files not readable by viewing them directly in the browser and still be able to include them into documents?

Any ideas to sort this out are greatly appreciated.

[hmahonen]

Rename them to .php and include them into another .php file when needed?

Or another point of view: never, EVER keep your database's username, password and name in a directory, which is accessible directly from the web. Instead, if your main WWW root directory is public_html, place the file one level up from that and include it from there.