|
An Important Note About .inc Files
|
Email
|
| Submitted on: |
10/9/2002 4:51:01 PM |
| By: |
bleh
|
| Level: |
Beginner |
| User Rating: |
By 15 Users |
| Compatibility: |
PHP 3.0, PHP 4.0 |
| Views: |
14462 |
|
|
|
|
|
Security issues using ".inc" include files.
|
| |
Terms of Agreement:
By using this article, you agree to the following terms...
- You may use
this article in your own programs (and may compile it into a program and distribute it in compiled format for languages that allow it) freely and with no charge.
- You MAY NOT redistribute this article (for example to a web site) without written permission from the original author. Failure to do so is a violation of copyright laws.
- You may link to this article from another website, but ONLY if it is not wrapped in a frame.
- You will abide by any additional copyright restrictions which the author may have placed in the article or article's description.
|
An Important Note About .inc Files
This is just a quick note about using include files with the ".inc" file extension. This doesn't apply to JUST PHP, but the web in general. I am posting this here in the PHP section because that is the server side language that I use, and I have noticed an abundance of ".inc" files in various projects throughout PSC.
For those who don't know, ".inc" files are nothing more than a file that generally contains information that you would need to access from various scripts on a site. Most often, they are a time saving way of storing certain variables. A primary example is Login/Passwords for database connections. This way, if you change the login/pass for the database, you only need to update one file.
The problem is, however, that the contents of ".inc" can be viewed in a browser by simply typing in the path. So anyone who knew the path of your include file could easily find out information that you probably didn't want them to know. Now, to those who aren't all that concerned with security, this may not seem a big issue. However, for the more paranoid among us, it is an issue.
I'm not sure if this applies to all platforms. The server I use runs Apache on Slackware, and the SysOp is a pretty security conscious person. Also, it could vary well be just an IE6 thing, as I have not had a chance to test this in any other browser. However, I thought I would make the uninformed among you aware of this.
The best way to get around this is to simply change the file extension to ".php" (or whatever language your using). It's that easy. Don't let your information be compromised.
|
|
Other 4 submission(s) by this author
|
|
Report Bad Submission
|
Your Vote
|
| |
Other User Comments
|
 10/10/2002 1:12:16 AM: Dustin R Davis
I never use .inc extention, you can get the same result with php extention. or asp for that matter or whatever else. Personally i would think this should be common sense among web developers. But, i guess most of PSC coders are "coding for fun" and not for proffesional status. I my self am a web developer and that is my job, so I am a little cautios about what i do. good point to bring up though.
(If this comment was disrespectful, please report it.)
|
10/10/2002 2:40:55 AM: Darryl Porter
Yes, this is something that a lot of people do and is not address. This is a huge security risk. Thanks for putting it out there. You can see the .inc file using any browser on any system--Don't take my word on this, but I've never had a problem acessing one if I knew the path to it.
(If this comment was disrespectful, please report it.)
|
10/10/2002 8:40:17 AM:
you can also configure the server to parse inc files instead.(just like asp and php pages) This is a common security setting.
(If this comment was disrespectful, please report it.)
|
10/10/2002 3:02:45 PM: Charles Chadwick
I agree with you completely, Dustin. A lot of people are just coding for fun, which is fine, but they should be aware none the less. After all, I started out coding for fun, and it turned into an occupation.
(If this comment was disrespectful, please report it.)
|
10/10/2002 3:12:31 PM: Rob t.H.
I agree with you all, I just call those functions foobar.inc.php. And if I can I place files with passwords out of my webroot so they can't be accessed using a web browser. Another tip is to surround your script with to make the code invisible in the browser in case of an PHP crash
(If this comment was disrespectful, please report it.)
|
10/11/2002 11:20:08 AM:
asd
(If this comment was disrespectful, please report it.)
|
10/11/2002 11:23:23 AM:
Same here! Had to keep the files with passwords too! Found out that anybody can dl the php files just by creatin a dummy html file(even in their HDs) with a link to the php file, when clicked the browser will show the open or save dialog box...
(If this comment was disrespectful, please report it.)
|
10/11/2002 5:24:50 PM:
.inc files are so risky. 'cause is some easily can read what content a .inc file.!!! i am using .php or .inc.php everytime.. i have get a site's some password that needed for something ... :)
(If this comment was disrespectful, please report it.)
|
10/12/2002 5:31:32 AM: Merlin Corey
... then again, password and such should be saved in a database of some kind (such as mySQL) anyway... If you have a file extension that you use that isn't being interpreted, you should add it as the one person said... Any file on any website that does not have a pre-set interpreter is viewable by any website as plain text (yes, even
(If this comment was disrespectful, please report it.)
|
10/12/2002 5:33:28 AM: Merlin Corey
[continuing] yes, even ".bla" files)... However, the ".inc" file is not really that insecure - it is "security through obscurity"... No one should know the full filename anyway (this doesn't apply if you have apache set to display directory contents when no index is found)... Downloading an interpreted file through HTTP does *not* give you the uninterpreted version...
(If this comment was disrespectful, please report it.)
|
10/12/2002 5:34:36 AM: Merlin Corey
"viewable by any website" = "viewable by any webbrowser"
(If this comment was disrespectful, please report it.)
|
10/12/2002 11:55:38 AM:
I kindda do it from the other way round, ie, "inc.config.php" and inside that, have a bit of code, where if a cirtain var does'nt exist, it'll echo something loads of times. So, when including, it'll be something like
and if it's missing, then all you'll get is spam.
(If this comment was disrespectful, please report it.)
|
10/14/2002 3:18:58 AM: magikh0e
You could also put the .inc outside of the webserver path.. Or if using apapche make a .htaccess for the dir they are in
(If this comment was disrespectful, please report it.)
|
10/14/2002 10:54:05 AM: VPUCEO
Since I have my server configured to interpret '.inc' as PHP, i put this code at the top of every include:
if(eregi(
(If this comment was disrespectful, please report it.)
|
10/14/2002 10:55:44 AM: VPUCEO
Since I have my server configured to interpret '.inc' as PHP, i put this code at the top of every include:
if(eregi([INC FILE NAME],$REQUEST_URI)) {
die();
}
With this code, you can include it but you can't access it directly. Since the user is accessing the include thru another page, it doesn't trigger the above code. it only triggers if the user tries to open the INC file directly.
Hope this helps
(If this comment was disrespectful, please report it.)
|
10/14/2002 1:04:35 PM: Martin C. Conniffe
It's about time someone aside from me noticed that :) I have for a while now found a way around it by doing two things. On MY sites, I have a dir called srv outside the public_html dir so noone outside the server can access it, and for my users who may not care as much, I have my apache setup to not allow anyone to get .inc files (so if a user _wants_ to make an inc file available to the general public, they have to call it .inc.txt). I never considered changing them to .php but that does work just as well :)
(If this comment was disrespectful, please report it.)
|
10/14/2002 1:44:33 PM: TheGeek
So what if I do all this, but I don't have access to the server root (Apache running on a Linux server)? I can't really stick my .inc files in /usr/dude. I tried creating a dummy folder named similar to the cgi_bin dir.... The apache config didn't like this. Any ideas on using .htaccess? I've never researched it.... thnx
(If this comment was disrespectful, please report it.)
|
10/23/2002 3:46:51 PM: Tommy
I use .inc files all the time, many of which do store very sensitive data.
I've gotten around the security issue by creating a folder, "inc", and placing the files there. Inside that folder, there's a file, .htaccess, which contains solely the line "deny from all". This allow scripts to access the files, but not visitors.
Enjoy!
(If this comment was disrespectful, please report it.)
|
10/24/2002 3:35:23 PM:
I am running IIS5 and have the same issue. I have got around it though by putting the files in a seperate "INC" directory and removing permission to the IUSR & IWAM (IIS anonymous accounts)... apparently IIS uses the System account to read the files.
(If this comment was disrespectful, please report it.)
|
10/24/2002 6:07:50 PM:
or deny listings for an /inc directory so if someone does try to view the files, they cannot get to the directory.. You can do this with apache..
(If this comment was disrespectful, please report it.)
|
10/26/2002 3:02:07 PM:
Maybe you should try some Exploiters on your sites.
(If this comment was disrespectful, please report it.)
|
10/28/2002 5:29:03 AM:
Oh please thats not a security risk if dick wads configure their .htaccess properly they can restrict access to all *.inc files making it impossible for people to view them.
(If this comment was disrespectful, please report it.)
|
10/28/2002 5:08:21 PM: galantz
Yeah, well there's a lot of "d#ck w#ds", goto your favorite search engine and search for "ODBC conn.inc", you will literally see hundreds of hits. For several years, I would make money by finding people with database connections to their databases that contain private information (yes sometimes customer credit card numbers) and would contact their IT for consulation fees... I think I cleared nearly 20,000USD with this "oversite" of "d#ck w#ds" so instead of "bitching" learn to milk it!!! :-)
(If this comment was disrespectful, please report it.)
|
11/1/2002 10:19:40 AM: James Mistry
There is one problem though - you can use leeching software like GoZilla (yes, I know it's a download manager as well) to download PHP files.
(If this comment was disrespectful, please report it.)
|
1/22/2003 2:03:23 PM: xU
rigth.
php files only let the user see what you let them see, even using GOZILLAAAAA. you're the man Charles
(If this comment was disrespectful, please report it.)
|
4/8/2003 4:35:11 PM: Tristan Wells
lol im the paranoid type you refer too, my config/include files are all stored in a compresed encrypted folder, not that the compressed factor has anything to do with it :)
(If this comment was disrespectful, please report it.)
|
7/5/2003 3:08:18 AM: -=TheASP=-
Somebody probably already said this, but... Why have all these complicated solutions to a simple problem? Name your includes '.inc.php' or '.inc.asp' and quit worrying. Or for those who don't feel like renaming a ton of .inc files to .inc.php, just add a handler telling your server that .inc files should be proccessed by PHP, simple.
(If this comment was disrespectful, please report it.)
|
8/1/2003 3:22:40 AM:
Its recommend not to use .inc files, instead how even told .php
And I have another tip:
When using @include ("file.php"); u can prevent php from showing the including file on an error. If the file doesnt exist, there's no message.
Not good 2 finding code errors ;)
(If this comment was disrespectful, please report it.)
|
8/22/2003 11:00:21 AM:
For my part, i use .inc files, but for protect then, i put all my .inc in a different folder and i add a .htaccess files (inside my .htaccess file i have only one line: deny from all). The .htaccess file denied access from internet access, but leave a access to PHP (server side/Local).
Have fun.
PS: sorry for my bad english ;)
(If this comment was disrespectful, please report it.)
|
12/15/2003 7:54:22 AM: vbDEVvb
when i use .inc files i just declare variables in them, so if they get parsed by php, it doesnt output anything, so it doesnt matter if someone accesses the url to the .inc file.
(If this comment was disrespectful, please report it.)
|
1/19/2004 3:33:03 PM:
Create a .htaccess with:
Order allow,deny
Deny from all
Satisfy All
Situation solved.
(If this comment was disrespectful, please report it.)
|
2/13/2004 7:20:37 AM:
or you could just use inc.php which will block it from any outside viewers, woohoo
(If this comment was disrespectful, please report it.)
|
10/31/2004 6:38:09 PM:
I usually just setup apache to recognize .inc files as php files and interprit them as they are accessed, so if they do type in the address, all they will see is a blank page... no the information in the script.
(If this comment was disrespectful, please report it.)
|
1/11/2006 1:06:28 PM: Nick
Order allow,deny
Deny from all
it's that simple.
(If this comment was disrespectful, please report it.)
|
10/29/2006 12:29:24 AM: Matt
Good one.
While you can tell your apache server to process .inc files as php what if you distribute your script to others who do not know to or have the ability to have that happen.
Always have your include files that contain sensitive information have an extension of .php
(If this comment was disrespectful, please report it.)
|
4/8/2007 8:47:18 PM: Matt Dunham
wow, this was a huge conversation. Does anyone know who exactly started using .inc?
(If this comment was disrespectful, please report it.)
|
Add Your Feedback
Your feedback will be posted below and an email sent to
the author. Please remember that the author was kind enough to
share this with you, so any criticisms must be stated politely, or they
will be deleted. (For feedback not related to this particular article, please
click here instead.)
To post feedback, first please login.
|
