One potentially vulnerable aspect of any website is the fact that include files may be executed directly by users and hackers. In poorly configured sites, they may even end up in search engine results. Given that these pages weren't intended to be viewed in such a way, the results may by unpredictable, leading to jeopardized security, products being given away accidentally for free, or incomplete pages that can damage a site's reputation.
While this problem applies to the use of include files with any server-side language and web server, we'll consider the case of PHP and Apache. Which strategy you use to prevent direct execution of include files may depend on how much control you have over the server. However, you may want to use multiple strategies simultaneously to thoroughly insulate your site from breaches or mistakes.
If you're distributing software for others, you have very little control over how it's implemented on their servers. But you can define a constant on pages that make use of include files, and then use code at the top of all your include files to quit if that constant doesn't exist:
//On main page
define('CAN_INCLUDE',true);
//In the include file:
if (!defined('CAN_INCLUDE')) {
header('HTTP/1.1 404 Not Found');
exit;
}
This code isn't foolproof, since register_globals enabled in PHP versions below 5.4 could allow the user to create an arbitrary variable in the query string. However, it's a helpful approach that you can implement directly in your PHP pages.
Another technique is to use an .htaccess file. You can place it in the directory for includes with "Deny from all", or just create a special extension for include files and use pattern-matching, like this:
<FilesMatch "\.(inc)$">
Deny from all
</FilesMatch>
Using an .htaccess in this case serves an additional function of preventing users from reading the source code of files having an ".inc" extension.
One possible disadvantage with .htaccess files is that they may slightly impact performance. This leads us to the last solution, which provides the tightest security but requires that you have access to the directory above the root directory for your website. When serving PHP files on Apache, you can actually perform the "include" and "require" commands on files above the root directory. Fortunately, many web hosters give the site owner access one level above the public root. The following code includes a file inside a subdirectory located two directories above the current file:
include '../../includes/util.php';
At New Horizons, we’re talking about Information Security everyday—and not just with a variety of clients, but with leading vendors—about industry trends and real-life challenges. And because of our close partnership with these vendors, New Horizons is positioned to help businesses like yours leverage our knowledge experts to discuss strategies, implementation and troubleshooting.
If you would like to learn about Security training, click here to find see our upcoming class offerings for Chicago, Grand Rapids, Kalamazoo, East Lansing, Livonia, Troy, Cleveland and Online LIVE.. Also, if you found this article interesting, helpful or useful, please use the ‘Social Share’ buttons below and spread the word across your networks.