Members do not see these annoying ads.
Protecting the /inc/ directory |
12th Jun 2012, 11:54 AM
(This post was last modified: 16th Jul 2012 07:21 AM by Nathan Malcolm.)
Post: #1
|
|||
|
|||
Protecting the /inc/ directory
Let's face it - the ./inc/ directory shouldn't be accessible to the public. It's merely a collection of classes and functions. It also houses sensitive information such as database configurations and settings.
Protecting the directory from public access is simple and requires little effort. We'll be addressing this issue in MyBB 2.0 by allowing files to sit below the webroot so they cannot be accessed. For now, this will have to suffice. This little tip assumes you're using an Apache webserver. For NGINX/lighttpd/etc. you'll need to refer to your webserver's manual. Firstly, create a file called htaccess.txt. This will be renamed later but due to files that are prefixed with a period being hidden by default this is the best method. You want to edit this file with a text editor such as Notepad++ or even Notepad itself will do (Although not recommended) and put the following line at the top: Code: deny from all Now simply save it and upload to the ./inc/ directory on your webhost. You will then need to rename it to .htaccess You can test it's working by going to http://yoursite.com/inc/ If you receive a 403 error then everything is working as planned and is inaccessible to the real world. Need a demo? See here: http://www.mybbsecurity.net/inc/ Now all of your configurations and settings are protected just in case something is mis-configured server side. Nathan Malcolm MyBB Core Developer @MyBBGroup | Follow @MyBBGroup for the latest MyBB news |
|||
Members do not see these annoying ads.
12th Jun 2012, 03:42 PM
Post: #2
|
|||
|
|||
RE: Protecting the /inc/ directory
Nice, I have had this for a while. Good tip
|
|||
16th Jul 2012, 06:58 AM
Post: #3
|
|||
|
|||
RE: Protecting the /inc/ directory
After uploading, rename it to .htaccess
Thanks for the tip. |
|||
16th Jul 2012, 07:22 AM
Post: #4
|
|||
|
|||
RE: Protecting the /inc/ directory
(16th Jul 2012 06:58 AM)~andrew~ Wrote: After uploading, rename it to .htaccess I must have missed that, thanks for reporting. Nathan Malcolm MyBB Core Developer @MyBBGroup | Follow @MyBBGroup for the latest MyBB news |
|||
26th Jul 2012, 01:10 PM
Post: #5
|
|||
|
|||
RE: Protecting the /inc/ directory
I did that on my forum.
But someone told me the following. Quote:Ok but all I can say is, that tutorial to block access to your "inc" folder is completely pointless. Unless you have an idiot that doesn't use the following code on a plugin file inside the inc folder: What do you think about that ? Cheers Wolfseye |
|||
28th Jul 2012, 05:22 PM
Post: #6
|
|||
|
|||
RE: Protecting the /inc/ directory
It's not just related to plugins. There are also sensitive files in the /inc/ directory such as config.php and settings.php.
Nathan Malcolm MyBB Core Developer @MyBBGroup | Follow @MyBBGroup for the latest MyBB news |
|||
Members do not see these annoying ads.
29th Jul 2012, 05:45 AM
(This post was last modified: 29th Jul 2012 05:46 AM by Wolfseye.)
Post: #7
|
|||
|
|||
RE: Protecting the /inc/ directory
The thing is that there are also Plugins that have subfolders where they access files in, which they can't when you put in a .htaccess like the on you posted above.
Wouldn't that be a better method ? Quote:<Files config.php> probably could add the settings.php into it as well. Just wondering. |
|||
29th Jul 2012, 08:14 AM
Post: #8
|
|||
|
|||
RE: Protecting the /inc/ directory
Plugins are server side. Any client side resources should not be put in the /inc/directory. The .htaccess file prevents access through the webserver to directly execute the files, but still allows access via the filesystem.
Nathan Malcolm MyBB Core Developer @MyBBGroup | Follow @MyBBGroup for the latest MyBB news |
|||
29th Jul 2012, 08:19 AM
Post: #9
|
|||
|
|||
RE: Protecting the /inc/ directory
Ok, thank you. So what would you suggest about plugins that have additional resources in a folder in the inc folder ? Not install ?
|
|||
31st Jul 2012, 04:36 PM
Post: #10
|
|||
|
|||
RE: Protecting the /inc/ directory
(29th Jul 2012 08:19 AM)Wolfseye Wrote: Ok, thank you. So what would you suggest about plugins that have additional resources in a folder in the inc folder ? Not install ? it only matters if those resources are directly requested via the HTML the browser is using (i.e. images, jscripts, etc). if it is simply additional details like language files or other PHP/server side only content, then it is fine. |
|||