Thread: .htaccess prevents itself from being viewed but not "sess*" files in directory
View Single Post

  #5 (permalink)  
Old 12-06-2006
phillip.s.powell@gmail.com
 
Posts: n/a
Default Re: .htaccess prevents itself from being viewed but not "sess*" files in directory

Concreteman wrote:
> phillip.s.powell@gmail.com wrote:
> > HansH wrote:
> > > <phillip.s.powell@gmail.com> schreef in bericht
> > > news:1165360511.201238.220110@l12g2000cwl.googlegr oups.com...
> > > > <Directory />
> > > > Options -Indexes
> > > > </Directory>
> > > >
> > > > <Files ~ "^\.ht">
> > > > order allow,deny
> > > > deny from all
> > > > </Files>
> > > Odd you have do set this yourself, should be in httpd.conf.
> >
> > That's assuming have permissions and access to httpd.conf, which I
> > don't :(
> >
> > >
> > > > <Files ~ "^sess[a-zA-Z0-9\-_\.]*$">
> > > Try <Files ~ "^sess[a-zA-Z0-9\-_,]*$">
> > > See 'session.hash_bits_per_character' at
> > > http://www.php.net/manual/en/ref.session.php
> >
> > session.has_bits_per_character is a PHP 5+ addition to php.ini; I'm
> > using PHP 4.3.9, sorry.
> >
> > I tried your pattern, but unfortunately that also failed to match and
> > the session file was easily viewable via browser, which obviously you
> > don't want
> >
> > >
> > > > order allow,deny
> > > > deny from all
> > > > </Files>
> > >
> > > > This is designed to prevent itself, all files beginning with "sess" and
> > > > the directory listing from being viewed.
> > > Your session.save_path in php.ini should be set _outside_ the document tree
> > >
> >
> > That would be assuming you have the rights to do so IAPW. However, I
> > am designing a portable web application that will be housed in a shared
> > hosting platform which does not allow for us to store sessions within
> > session.save_path (or for that matter, have any access outside of our
> > chroot - can you say "chroot jail"?), nor are we allowed to even change
> > any of the default php.ini values via ini_set() either (I tried that,
> > believe me). So that left me only with the option to store sessions
> > witihn our chroot (actually in one case, within the document root only
> > as that's as far back as we're allowed to go), and since they're
> > "open", I need to make sure the session file contents are not viewable.
> >
> >
> > > HansH
>
> /tmp should work even in your environement and should work in about 95%
> linux flavored hosting. If it doesn't you might consider moving. You
> might also run phpinfo.php and make sure your temp is at /tmp. Session
> files are dangerous to have lying around anywhere, it is a major
> security breach.

Would you believe we're in the 5%? It's a "chroot jail", no access of
any kind is allowed outside of your chroot, not even to /tmp!

I agree about leaving session files lying around, but sadly I have no
choice unless the company decides to go with my suggestion on a
dedicated host instead of a shared host, until then I'm expected to
come up with a solution that is secure and functionable within the
shared host settings given to us