includes in sub directories of password protected directories

Ask about general coding issues or problems here.

Moderators: egami, macek, gesf

Post Reply
guvna
New php-forum User
New php-forum User
Posts: 18
Joined: Fri Mar 10, 2017 7:42 am

Fri Mar 10, 2017 8:06 am

New to this so any help will be greatly appreciated. I searched this topic and the 3 answers I don't think cover my issue.
On one of my sites I have a password protected directory (ppd) and the cpanel support states that all sub directories of the ppd will inherit the username/password.
In sub directories of the ppd I have php pages that are called from usual code <?php include ..... ?>
Example: http://www.abc.com
ppd http://www.abc.com/123
http://www.abc.com/123/xyz hosts php and html pages called by includes
http://www.abc.com/123/index.php displays with errors once username/password verified.
index.php has code <?php include 'http://www.abc.com/123/xyz/header.php
Error message displays as:
Warning: include(http://www.abc.com/123/index.php): failed to open stream: HTTP request failed! HTTP/1.1 401 Authorization Required in /home/abc/public_html/123/index.php on line 169

Warning: include(): Failed opening 'http://www.abc.com/123/index.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/abc/public_html/123/index.php on line 169

Having read up I am aware that is good practice to place all 'includes' in an include sub directory which generally is not protected. This will require moving multiple pages which is no major issue. However, I wondered if there was something like a security setting fix for this issue due to it being a 401 error message.
NigelRen
php-forum GURU
php-forum GURU
Posts: 622
Joined: Fri Aug 05, 2011 9:53 am

Fri Mar 10, 2017 9:31 am

Rather than use the URL of the include file, can you put the actual file name in instead. Should be something like xyz/header.php.
guvna
New php-forum User
New php-forum User
Posts: 18
Joined: Fri Mar 10, 2017 7:42 am

Fri Mar 10, 2017 9:41 am

Have tried that and still get the authorization error message. Also I have multiple sites with 'includes' but they don't sit behind a protected directory so they are not an issue right now.
AdoptiveSolution
php-forum Super User
php-forum Super User
Posts: 167
Joined: Wed Jun 15, 2016 8:35 am

Fri Mar 10, 2017 2:55 pm

Do not use http urls to include files, use filepaths :

Code: Select all

<?php
include "123/xyz/header.php";
?>
Or

Code: Select all

<?php
include "../123/xyz/header.php";
?>
Directory passwords only work when you display webpages with a browser.
guvna
New php-forum User
New php-forum User
Posts: 18
Joined: Fri Mar 10, 2017 7:42 am

Tue Mar 14, 2017 4:35 am

ok thanks. This works but only with server path, not with site path. So this leads to another issue, I use Dreamweaver for websites and with site paths any changes I make will automatically update affected pages. The server path include paths are not automatically updated by Dreamweaver.

I'm thinking I can overcome this by by declaring a serverpath variable for each site so when I have updates, such as a new server, I can just update the serverpath variable. I'll research this ad make a new post if necessary.
chorn
php-forum GURU
php-forum GURU
Posts: 626
Joined: Fri Apr 01, 2016 2:18 am

Tue Mar 14, 2017 5:11 am

what you are creating is a remote code execution vulnerability. not only you may loose control over the other servers - your connection is not even encrypted with TLS due to the http-url, so any man in the middle can manipulate your sourcecode.
guvna
New php-forum User
New php-forum User
Posts: 18
Joined: Fri Mar 10, 2017 7:42 am

Tue Mar 14, 2017 10:23 am

response to chorn post:
Is your warning relative to the using of http full path in includes, to using server path, or both?
chorn
php-forum GURU
php-forum GURU
Posts: 626
Joined: Fri Apr 01, 2016 2:18 am

Tue Mar 14, 2017 10:40 pm

the vulnerabilty applies whenever you include (=excute) remote code, especially when it comes from un-encrypted http.
Post Reply