Site Security :: Security - Keeping it Off the Web (Page 2 of 2)

Authors: Maximum article exposure. Publishers: Reprintable article content.

BROWSE ARTICLES

	ArticleBiz.com Home
	Featured Articles
	Recently Added Articles
	Most Viewed Articles
	Article Comments
	Advanced Article Search

AUTHORS

	Submit Article
	Check Article Status
	Author TOS

PUBLISHERS

	RSS Article Feeds
	Terms of Service

Security - Keeping it Off the Web

Home :: Computers & Technology :: Site Security
By: Jamie H	Email Article
Word Count: 1090	Digg it \| Del.icio.us it \| Google it \| StumbleUpon it

You may ask yourself why a competent software designer would do such a thing? Why is it so common?

The answer is simplicity and market value. Customers demand software that is easy to install. It is actually done this way for your convenience.

Scripts that store everything in one directory make it easy for you, the website owner, to install and manage. Web software customers have come to demand this sort of thing.

Most software designers are aware of this problem, this is why they often choose to write configuration into a .php file, it gives you some protection at the expense of introducing other potentially security problems we won't cover here.

While java servlet technology provides WEB-INF/ (a secure place to store this type of information) most PHP or CGI environments do not offer such an environment.

Furthermore some web servers use something called "safe mode" which is a misguided attempt to make PHP "secure", operating in this mode forces a software developer to write insecure programs in the manner I've just outlined.

For those of you who have inspected your website, good job! you've probably discovered you do have this problem. The next question is "What can be done"?

The correct approach is to relocate your configuration files (and any other information that shouldn't be web accessible) to a place safely outside your document root (sometimes called your "web folder") after you have done this, you shouldn't be able to access the files with a web browser, not even with a password.

I generally like to use the HOME directory, but it doesn't matter as long as it's safely kept well away from the prying eyes of would-be hackers.

With many scripts, this is not very practical, particularly if you have already installed them. At this point, damage control may be your only option.

If you're using apache, you can give yourself some added protection in the form of an .htaccess file, this is still not not secure, but it's certainly better than nothing at all. In "safe" mode, this may be your only option.

There are also things you can do via the language itself, but I won't cover them here.

After you have done this, it is important to make a note to yourself about it. When backing up your website, you will need to include not only the web pages, but these other files that you now have safely tucked outside your web directory.

If you are unable to solve the problem, (for example the web script won't allow you to locate these files elsewhere) Simply being aware of it can go a long way toward protecting your website from future attackers. Now that you know, you can keep an eye out for any backup files that may have been created by other tools.

Try not to be too tough on whoever wrote the program, chances are they chose to do it this way for the convenience of their users. I can attest from first hand experience, if you don't store configuration data this way, customers can become annoyed and rarely understand your reasoning.

Page 2 of 2 :: First | Last :: Prev | 1 2 | Next

Jamie is an entrepreneur GenieGate.com, specializing in UNIX based web technology for small and mid-size companies.

Article Source: http://www.ArticleBiz.com