Page 1 of 1

includes in sub directories of password protected directories

Posted: Fri Mar 10, 2017 8:06 am
by guvna
New to this so any help will be greatly appreciated. I searched this topic and the 3 answers I don't think cover my issue.
On one of my sites I have a password protected directory (ppd) and the cpanel support states that all sub directories of the ppd will inherit the username/password.
In sub directories of the ppd I have php pages that are called from usual code <?php include ..... ?>
Example: http://www.abc.com
ppd http://www.abc.com/123
http://www.abc.com/123/xyz hosts php and html pages called by includes
http://www.abc.com/123/index.php displays with errors once username/password verified.
index.php has code <?php include 'http://www.abc.com/123/xyz/header.php
Error message displays as:
Warning: include(http://www.abc.com/123/index.php): failed to open stream: HTTP request failed! HTTP/1.1 401 Authorization Required in /home/abc/public_html/123/index.php on line 169

Warning: include(): Failed opening 'http://www.abc.com/123/index.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/abc/public_html/123/index.php on line 169

Having read up I am aware that is good practice to place all 'includes' in an include sub directory which generally is not protected. This will require moving multiple pages which is no major issue. However, I wondered if there was something like a security setting fix for this issue due to it being a 401 error message.

Re: includes in sub directories of password protected directories

Posted: Fri Mar 10, 2017 9:31 am
by NigelRen
Rather than use the URL of the include file, can you put the actual file name in instead. Should be something like xyz/header.php.

Re: includes in sub directories of password protected directories

Posted: Fri Mar 10, 2017 9:41 am
by guvna
Have tried that and still get the authorization error message. Also I have multiple sites with 'includes' but they don't sit behind a protected directory so they are not an issue right now.

Re: includes in sub directories of password protected directories

Posted: Fri Mar 10, 2017 2:55 pm
by AdoptiveSolution
Do not use http urls to include files, use filepaths :

Code: Select all

<?php
include "123/xyz/header.php";
?>
Or

Code: Select all

<?php
include "../123/xyz/header.php";
?>
Directory passwords only work when you display webpages with a browser.

Re: includes in sub directories of password protected directories

Posted: Tue Mar 14, 2017 4:35 am
by guvna
ok thanks. This works but only with server path, not with site path. So this leads to another issue, I use Dreamweaver for websites and with site paths any changes I make will automatically update affected pages. The server path include paths are not automatically updated by Dreamweaver.

I'm thinking I can overcome this by by declaring a serverpath variable for each site so when I have updates, such as a new server, I can just update the serverpath variable. I'll research this ad make a new post if necessary.

Re: includes in sub directories of password protected directories

Posted: Tue Mar 14, 2017 5:11 am
by chorn
what you are creating is a remote code execution vulnerability. not only you may loose control over the other servers - your connection is not even encrypted with TLS due to the http-url, so any man in the middle can manipulate your sourcecode.

Re: includes in sub directories of password protected directories

Posted: Tue Mar 14, 2017 10:23 am
by guvna
response to chorn post:
Is your warning relative to the using of http full path in includes, to using server path, or both?

Re: includes in sub directories of password protected directories

Posted: Tue Mar 14, 2017 10:40 pm
by chorn
the vulnerabilty applies whenever you include (=excute) remote code, especially when it comes from un-encrypted http.