vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=111)
-   -   Security: Denying direct access to files (https://vborg.vbsupport.ru/showthread.php?t=90924)

VBCoder 06-23-2005 04:37 PM
Security: Denying direct access to files
 
I'd like to deny access to the include files - I know that vB tries to do this , but I'd like to do it explicitly. Other than /include/ , are there any dirs that can be denied?

Chris M 06-23-2005 04:42 PM
I believe /clientscript/ is as well :)

Satan

Marco van Herwaarden 06-23-2005 07:10 PM
Lol, denying clientscript, will make the board not function anymore i guess.

Zachery 06-23-2005 07:12 PM
Quote:
Originally Posted by hellsatan
I believe /clientscript/ is as well :)

Satan
If you are that worried, why run a forum!

Serriously though.. the includes directiory doesn't contain anything that can harm your board from direct web access.

jugo 06-23-2005 07:21 PM
well a good way to prevent a file from being called by itsel:

I believe this would work:

Code:
if (eregi("filename.php",$_SERVER['PHP_SELF'])) {
  header("Location:http://www.misite.com");
  exit;
}

Zachery 06-23-2005 07:22 PM
just htaccess the directory if your worried...

merk 06-24-2005 01:44 AM
The only directory that can be locked out is includes.

Marco van Herwaarden 06-24-2005 06:38 AM
All scripts that are not ment to be called directly, are already "protected" against starting them directly, or at least protected from performing any actions.

akanevsky 06-24-2005 11:40 AM
The easy way to do this:

<Files *.php>
Order allow,deny
Deny from all
</Files>

<Files *.extension1>
Order allow,deny
Deny from all
</Files>

<Files *.anotherextension>
Order allow,deny
Deny from all
</Files>

Put this into .htaccess of every folder you want to protect.

Chris M 06-24-2005 12:58 PM
You know what I meant :p

I mean users cannot harm the board by accessing them directly:p

I misunderstood what he was asking and thought he wanted to know what directories were protected from damaging the board by users typing the url in :p

Satan

tamarian 06-24-2005 01:30 PM
One thing I don't like about the vB installation script is that it tells you to delete the install.php file. What they don't tell you is that you can delete the entire install directory :) For upgrades, you just copy the whole install directory from the new version.

Zachery 06-24-2005 01:38 PM
Quote:
Originally Posted by tamarian
One thing I don't like about the vB installation script is that it tells you to delete the install.php file. What they don't tell you is that you can delete the entire install directory :) For upgrades, you just copy the whole install directory from the new version.
Eh, I don't advise deleteing the entire install directory, there are some useful files that you should have on hand, further more the only somewhat harmful file is install.php (because it can drop your database)

tamarian 06-24-2005 01:49 PM
Quote:
Originally Posted by Zachery
Eh, I don't advise deleteing the entire install directory, there are some useful files that you should have on hand, further more the only somewhat harmful file is install.php (because it can drop your database)
I always have them on hand, at home :)

Marco van Herwaarden 06-24-2005 02:03 PM
Better is to protect the directory with a .htaccess

VBCoder 06-24-2005 03:31 PM
I agree, the best thing is a simple .htaccess to block the dir. (Really, the includes etc should be outside of the webroot but I guess vB must support hosts where this is not available). My question is only which dirs can be blocked - I guess the answer is /includes/ and /install/

tamarian 06-24-2005 04:03 PM
Quote:
Originally Posted by VBCoder
(Really, the includes etc should be outside of th(Boys and girls, don't try this at homee webroot but I guess vB must support hosts where this is not available).
This is a good idea. But the includes directory (I think) is harcoded in a few places. But if it's made outside the webroot, you can just add it explicitly the includes path in php.ini and it should work.

I can see some mods and vB devs pulling their hair out at all this sacrilege :D


All times are GMT. The time now is 11:08 PM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01127 seconds
  • Memory Usage 1,744KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_code_printable
  • (4)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (16)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete