hack protection

zzz

I noticed that someone was trying to get site info by modifying site URL by appending

/page.php../../../../../../../../../../../../../../../etc/passwd

I tried and got some server info. None of it is vital, but I'd like to be able to hide that too. Is there a way to stop this sort of attacks?

Perhaps I can evaluate URL request and if it contains ../../ redirect somewhere. Maybe I can do something via .htaccess file?

zzz

OK, perhaps not 100% bullet-proof, but here what I came up with:

if (ereg("../",$_SERVER['QUERY_STRING'])) {
	// go to hell hackers!
}

dagon

store anything vital outside the web root then it can never be accessed from outside, don't load a page in a php script buy making it part of the url (which looks to be the issue in this case).

zzz

Nothing is in the URL. That was a hacker's attempt to drill down.

dagon

well unless page.php does something with the line "../../" then nothing is ever going to happen