3

When reading through questions and answers regarding maintaining security when allowing users to upload files to your server, some of the answers said to store the file in a location not accessible by a browser, and "above the document root".

If I had a site running in 'var/www/' such as:

var/www/MySite/Index.html

Does "above the document root" mean above the MySite folder, but still in the var/www folder, or does it mean in a seperate location from var/www altogether, somewhere else entirely on the server host's file system?

Also, why is it that making a file innaccessible from a browser makes it more secure? Thanks.

Highway62
  • 800
  • 1
  • 10
  • 25
  • http://stackoverflow.com/questions/2679524/block-direct-access-to-a-file-over-http-but-allow-php-script-access – Matjaž Jul 01 '15 at 17:46
  • Above or below or whatever is irrelevant. It should be a location in the servers file system that is _not_ directly accessible by http requests. Your http servers host configuration defines what locations are sehossting provider thatn rved by the server, so what folders and their content. On the other hand you have to think of the fact that your php script requires write permission at the desired location. If you only have a cheap hosting provider then that can be a problem. In such case you should take care to block requests to the location by means of a .htaccess style file. – arkascha Jul 01 '15 at 17:46

1 Answers1

4

I generally do not worry too much about moving certain files outside the www folder, because if your www folder is vulnerable (whether through apache or other means) you have a number of other problems, and those files are accessible anyways. Moving it outside the www folder also has an effect on portability of the application, as most hosting companies do not allow access beyond your user www folder anyways.

Enabling Override in apache and placing a .htaccess file with the following contents within any folder you want restricted is recommended:

Order deny,allow
Deny from all

This way your application is self-contained and portable.

Apache2.4 and PHP5.5 are further hardened against issues involving access and execution of unwanted code on an OS level, so I also recommend using the latest versions of these packages where possible.

Jerbot
  • 1,168
  • 7
  • 18
  • that's great thanks for they reply, is there a way to stop the .htaccess file from being overwritten with an attacker's own .htaccess file, or is it not something I need to worry about? – Highway62 Jul 02 '15 at 00:35
  • If your server is correctly configured, you shouldn't need to worry about that. However once in production I believe you can remove user/group write permissions at a filesystem level without any adverse effects.. – Jerbot Jul 02 '15 at 02:19