Apr 30th, 2011
PHP security restricting Includes
PHP security restricting Includes
Local include attacks occur when an attacker is able to pull local files into PHP scripts to view sensitive information on or about your system. For example, an attacker may be able to include and subsequently view the /etc/passwd file using a PHP inclusion vulnerability, in effect acquiring some basic information about every account associated with your web server.
To help prevent local include vulnerabilities, you can set the open_basedir parameter in your PHP configuration to a specific directory. This will limit an attacker’s access via local includes to a single directory. In most cases, you will want to set the open_basedir parameter to a public_html directory, allowing PHP to open and modify HTTP-accessible (public) files contained within the specified directory while limiting access to more sensitive information contained outside of the specified directory
