Posted by Richard Lynch on 10/04/62 11:05

> On Jan 10, 2005, at 12:49 PM, Jason Morehouse wrote:
>
>> Hello. I'm not sure if this is an apache problem or php... but
>> wondering if anyone has come across the same problem.
>>
>> -rw------- 1 root root test.html
>> -rw------- 1 root root test.php
>>
>> Trying to access test.html via a browser servers up the apache 403
>> error page. The test.php however produces:
>>
>> Warning: Unknown: failed to open stream: Permission denied in Unknown
>> on line 0 Warning: Unknown: Failed opening '/www/test.php' for
>> inclusion (include_path='.:/www/php') in Unknown on line 0

Ahhhh! Now we see the question! Why doesn't it yield 403 like it "should"

First and foremost, use php.ini or httpd.conf or .htaccess to *NOT* let
PHP send error messages OF ANY KIND to the browser on a production site.

[You could also use ini_set within a script if the file in question is to
be include'd into other files.]

You should do this anyway.

Admittedly, your server still behaves not quite like you want, as *.html
yields a 403 response, and *.php yields a 200 response, and a page of no
content. But at least the Bad Guys don't see your server internals.

I don't think there's any way you can configure Apache to pre-empt the PHP
trying to read the file -- though I presume Apache *could* be altered to
behave that way... Except it would be rather difficult for Apache to
'know' a priori what User PHP runs as, given suexec, CGI setups, etc...

Depending on your application, you might be able to "wrap" all the access
to files through a known good PHP file, and then use PHP error handling
(http://php.net/set_error_handler) to determine if this error occurred,
and then send a 403 header.

Probably an Apache list would be better suited to knowing for sure any way
around this... You could maybe tweak the PHP source to detect this
condition and send 403 instead of trying to include() the file, which is
what it seems to be doing.

--
Like Music?
http://l-i-e.com/artists.htm

[Back to original message]