Protecting the /inc/ directory

***Nathan Malcolm*** · (This post was last modified: 16th Jul 2012 07:21 AM by Nathan Malcolm.)

Let's face it - the ./inc/ directory shouldn't be accessible to the public. It's merely a collection of classes and functions. It also houses sensitive information such as database configurations and settings.

Protecting the directory from public access is simple and requires little effort. We'll be addressing this issue in MyBB 2.0 by allowing files to sit below the webroot so they cannot be accessed. For now, this will have to suffice.

This little tip assumes you're using an Apache webserver. For NGINX/lighttpd/etc. you'll need to refer to your webserver's manual.

Firstly, create a file called htaccess.txt. This will be renamed later but due to files that are prefixed with a period being hidden by default this is the best method.

You want to edit this file with a text editor such as Notepad++ or even Notepad itself will do (Although not recommended) and put the following line at the top:

Code:

deny from all

Now simply save it and upload to the ./inc/ directory on your webhost. You will then need to rename it to .htaccess

You can test it's working by going to http://yoursite.com/inc/

If you receive a 403 error then everything is working as planned and is inaccessible to the real world.

Need a demo? See here: http://www.mybbsecurity.net/inc/

Now all of your configurations and settings are protected just in case something is mis-configured server side.

pavemen · 12th Jun 2012, 03:42 PM

Nice, I have had this for a while. Good tip

~andrew~ · 16th Jul 2012, 06:58 AM

After uploading, rename it to .htaccess

Thanks for the tip.

***Nathan Malcolm*** · 16th Jul 2012, 07:22 AM

(16th Jul 2012 06:58 AM)~andrew~ Wrote: After uploading, rename it to .htaccess
Thanks for the tip.

I must have missed that, thanks for reporting.

Wolfseye · 26th Jul 2012, 01:10 PM

I did that on my forum.

But someone told me the following.

Quote:Ok but all I can say is, that tutorial to block access to your "inc" folder is completely pointless. Unless you have an idiot that doesn't use the following code on a plugin file inside the inc folder:

Code:

if(!defined("IN_MYBB")){ die("Direct initialization of this file is not allowed. <br /><br />Please make sure IN_MYBB is defined."); }

Thats the first thing a developer will add to a plugin file.

What do you think about that ?

Cheers

Wolfseye

***Nathan Malcolm*** · 28th Jul 2012, 05:22 PM

It's not just related to plugins. There are also sensitive files in the /inc/ directory such as config.php and settings.php.

Wolfseye · (This post was last modified: 29th Jul 2012 05:46 AM by Wolfseye.)

The thing is that there are also Plugins that have subfolders where they access files in, which they can't when you put in a .htaccess like the on you posted above.

Wouldn't that be a better method ?

Quote:<Files config.php>
order deny,allow
deny from all
</Files>

probably could add the settings.php into it as well. Just wondering.

***Nathan Malcolm*** · 29th Jul 2012, 08:14 AM

Plugins are server side. Any client side resources should not be put in the /inc/directory. The .htaccess file prevents access through the webserver to directly execute the files, but still allows access via the filesystem.

Wolfseye · 29th Jul 2012, 08:19 AM

Ok, thank you. So what would you suggest about plugins that have additional resources in a folder in the inc folder ? Not install ?

pavemen · 31st Jul 2012, 04:36 PM

(29th Jul 2012 08:19 AM)Wolfseye Wrote: Ok, thank you. So what would you suggest about plugins that have additional resources in a folder in the inc folder ? Not install ?

it only matters if those resources are directly requested via the HTML the browser is using (i.e. images, jscripts, etc). if it is simply additional details like language files or other PHP/server side only content, then it is fine.