.inc Extension

Anon

Lately I came across a question about using .inc extension for the parts to be included in other .php files.

Curiously, I tried to enter the .inc file name in the browser location. I was quite shocked that I would see all the codes in that .inc file as texts. I've been using .inc extension since I learned PHP (dunno why but I think it's a convention) and I never realized this security problem.

Does anyone have any thoughts regarding this? I'm changing every .inc to .php now.

Anon

Well there are a couple options here. One is that you can rename all your .inc to .php as you say. The other is to have your webserver parse the .inc extensions as php files (if you have access to do that). Yet another option is to put all of your .inc files OUTSIDE of your document root, that way you can't do a http://my.server/myfile.inc and actually get to a file.

I prefer the latter option, but you can do what suits your needs.

Be glad you caught this now and not later when it might hurt 🙂

Tim Frank

Anon

Isn't there a way to tell Apache not to return the contents of .inc file anyway?

Anon

Yep, you could set that up similarly to the way it handles .htaccess files so it won't ever actually display the files... yet another possible option 🙂

Tim Frank

Anon

so~
could someone teach me how to let the Apache server know the inc file?
we need to edit the httpd.conf??
thank~

Anon

Try to create .htaccess in your directory, and put the following lines in it:

<Files somefile.inc>
Order Deny,Allow
Deny From All
</Files>

That prevents file somefile.inc to be viewed directly by browser.

Hope this helps,
Luck,
Boris

Anon

Look for a line like

AddType application/x-httpd-php .php

in your httpd.conf and tack on .inc to the end of it like

AddType application/x-httpd-php .php .inc

restart your webserver and Apache will now parse .inc files.

BE AWARE that if someone types the path to one of those files and it spits out any errors that could still lead to information being leaked.

I suggest putting them outside the web tree or instead stopping apache from allowing anyone to view them. See the post by ZBoris and check your httpd.conf for how .htaccess files are denied viewing globally.

Tim Frank

Anon

I had an application show up on securityfocus because I had the database connection info in a .inc

Now I try to only use .php. I also put a index.php in the include directory that contains the mail() so if someone tries to access that dir. I get notified..
http://pccs-linux.com/phplinux/php_part13.html for example...

To be safe move away from .inc to .inc.php