search

davarravad / UserApplePie

UserApplePie website portal based on UserCake. UserApplePie is a fully open source user management system. UAP v.2 Build Started - Check that Repo.
http://www.userapplepie.com
GNU General Public License v2.0
1 stars 1 forks source link

Remove filename extension .inc #28

Closed ddmler closed 8 years ago

ddmler commented 8 years ago

Most webservers will print out the content of a .inc file by default. Which means if anyone requests the file: UserApplePie/models/db-settings.inc they get all the database credentials. To fix this: a) append .php or b) remove .inc and append .php

davarravad commented 8 years ago

Step #8. Enable/Install Apache mod_access so that intruders can not open the *.inc files (shows full code as text file if not disabled). Add the following to either apache global config, or vhost/directory, or .htaccess

<Files  ~ "\.inc$">
  Order allow,deny
  Deny from all
</Files>

That's what this step solves. It blocks all *.inc files from being opened directly. I will look in to alternative options.

ddmler commented 8 years ago

Sorry didn't see that. But then there is the point that the installation should not be needlessly complicated in my opinion. If all files are .php this step could be removed. :)

davarravad commented 8 years ago

Good point. I will look in to a easier and better way to handle the need I felt for the *.inc file format.

Thanks! Love getting feedback!

davarravad commented 8 years ago

Done! Thanks again for the advice.

I also added a simple script to block files from being opened directly. If they are opened directly the user is redirected to the main site page.