Security Update to SimpleSite 07/08

Posted on August 7, 2008 by Sheldon Lendrum

I have had a concern brought to me that using .inc files is a security issue, people can access the xxx.inc file directly and read the full file contents.

While I agree, this can be fixed with a rule in your .htaccess file that will send a 403 Forbidden response to all requests .inc files. I personally like using .inc file extensions for include files rather than .php as there files do not and should not be run directly. To use .php over .inc this section explains what to change.

Download an update from the main SimpleSite post ~ http://sheldon.lendrum.co.nz/building-a-completely-dynamic-site-using-text-files-php-and-no-mysql_187/03/

Modifying your .htaccess file

Add these lines in your .htaccess file in your root html directory were SimpleSite is installed

# Block Reading of *.inc files
<files "*.inc">
order allow,deny
deny from all
</files>

To Customise your 403 Forbidden page you can use this in your .htaccess file

# Set Error Documents.
ErrorDocument 403 /forbidden.html
ErrorDocument 404 /notFound.html
ErrorDocument 500 /serverError.html

Another Security Idea would be to make sure that your server will not allow directory listings, this will happen on some servers where there is no default file in the directory, e.g. no ‘index.html|.htm|.php|.shtml’etc..

#  Block Dir Listing
Options All -Indexes

Using .php file Extensions over .inc

If you would rather use a .php file extension (or for that matter any file extension ) in your included files. rename the .inc files to your chosen ext and then open the 

includes/simplesite.php

file and edit your $config array to look for your new file ext.

27

"fileExt"     => ".php",
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

	function config() {
		$config = array(
			"siteName"    => "Dynamic File Based Site",           // 'siteName'    -> TITLE OF THE SITE,  USED FOR COSMETIC PURPOSES MOSTLY.
			"httpHost"    => "http://{$_SERVER['HTTP_HOST']}/",   // 'httpHost'    -> HTTP PATH 'http://sheldon.lendrum.co.nz'
			"docRoot"     => "{$_SERVER['DOCUMENT_ROOT']}/",      // 'docRoot'     -> FULL DOCUMENT ROOT PATH.
			"filePath"    => "pages/",                            // 'filePath'    -> DIRECTORY OF PAGE FILES.
			"fileExt"     => ".php",                              // 'fileExt'     -> INCLUDES FILE EXT.
			"request"     => "page",                              // 'request'     -> USED IN $_GET[],  IF USING MOD REWRITE,  ALTER RULE TO MATCH.
			"newLine"     => "\n",                                // 'newLine'     -> FORMATING NEW LINE, OPTIONS: (empty), "\n",  "\r\n"
			"styleSheet"  => "styles/format.css",                 // 'styleSheet   -> PATH TO STYLESHEET,  USED WITH 'httpHost'
			"defaultPage" => "home",                              // 'defaultPage' -> DEFAULT FILE WITH NO PAHT OR EXTENSION TO BE INCLUDED.
			"modReWrite"  => "off"                                // 'modReWrite'  -> IF YOU WANT TO USE MOD REWRITE TO HAVE 'PRETTY URLS',  SET THIS TO ON,
			);                                                    // CREATE YOUR '.htaccess' AND ADD THE RULES FROM THE 'help-file' PAGE.
		return $config;                                           // THE NAVIGATION WILL AUTOMATICALLY WRITE THE CORRECT URLS DEPENDING ON YOUR SELECTION.
	}
This entry was posted in SimpleSite and tagged , , . Bookmark the permalink.

One Response to Security Update to SimpleSite 07/08

  1. Pingback: Sheldon Lendrum » Blog Archive » Building a Completely Dynamic site using text files, PHP and no mySQL.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre lang="" line="" escaped="">