Security isues / PHP

[horsyatza]

Hi there, I'm new here so please excuse me if I'm not at the right place, but I'm hoping to get some advice. Don't have much knowladge about PHP either.

I've got a small website to advertize my business, hosted by a hosting company, but I upload the content of the site myself. I don't have access to logs, at least I don't think so. If I do, I don't know where to find them. It is a cheap service with very little customer support. Pretty much DIY.

I found a PHP script that alow you to check your email (a single account) using a WAP browser, but there are no security build into this script and you place your username and password inside the script. The auther sugest you give the script a name that no one can guess, something like hafdghjf.php.

My question: Is it posable to get a directory listing of a website? My gut feeling is that it should not be posable. Sugestions I had so far was to place "Options All -Indexes" in .htaccess file. I was also told that search engine bots could find such a file and I must prevent them from listing that file in robots.txt, but then another person said that hackers like to read robots.txt to see what webmasters are trying to hide from the world. Can a search engine really find a file if there is absolutely no pages linking to it. Always thaught they won't.

Don't want to stick this scrip on the site and then anyone can find it and open my mail. That is all the script does, it does not allow for delete, send or reply.

Also was wondering if there were programs out there that will read/draw the actuall PHP file from the server, instead of the output produced by PHP. I'm thinking along the lines of a PHP script that validate passwords. Such a scrip will contain the passwords so if someone get hold of the actual script, they would also have the passwords.

Thanks for any advise.

[grahame]

Quote:

Originally Posted by horsyatza

My question: Is it posable to get a directory listing of a website? My gut feeling is that it should not be posable. Sugestions I had so far was to place "Options All -Indexes" in .htaccess file. I was also told that search engine bots could find such a file and I must prevent them from listing that file in robots.txt, but then another person said that hackers like to read robots.txt to see what webmasters are trying to hide from the world. Can a search engine really find a file if there is absolutely no pages linking to it. Always thaught they won't.

If a directory contains a "home page" such as index.html, then it is not normally possible to get a directory listing. (Of course, you as the web site owner could write and upload a script to do so)

If the directory does NOT contain a home page , then a directory listing WILL be offered when a user calls up the directory if the server configuration file includes Options Indexes or the appropriate .htaccess file does. The best way to find out what the current situation is on your server is to try it out and see - if you get a "forbidden" error 403, you're OK. If not, you'll need to set up the options or (better) add a home page.

If you have a URL with absolutely no links to it, and you don't allow directory listings as described above, the search engines won't find it. However, if you have a single obscure link to it for just a couple of hours, the search engines might find it in that time, and they have LONG memories.

Personally, I would NOT put the name of a secret page into a robots.txt file. It tells well behaved robots to go away, and tells naughty ones where thay can find something juicy!

Quote:

Also was wondering if there were programs out there that will read/draw the actuall PHP file from the server, instead of the output produced by PHP. I'm thinking along the lines of a PHP script that validate passwords. Such a scrip will contain the passwords so if someone get hold of the actual script, they would also have the passwords.

Thanks for any advise.

No - not unless you write and upload them

[horsyatza]

Ecelent, that make me feel more confident that it would be safe. Not that I think any hacker would be interested in my tiny little web site.

Thanks for the reply.

[masonbarge]

The easy answer: Put index.php in every public directory, even if it's nothing but a redirect header. This gives you a layer of protection.

Or if you want to get cute, do a site map for the files in the directory that you want the public to access, using the default directory index as a template.