PHP Security Tip #4

Cal Evans (Editor-in-Chief) | 7 comments | March 6th, 2007

p. “Security through obscurity is no security at all.” so the adage goes. However, the flip side of that coin is, obscurity, when used as part of an overall strategy, is a good thing. There’s no sense in making things any easier for those with malicious intent. That brings us to our security tip for the day.

Give files and folders with critical information non-default names.

p. Don’t rely on obscure names to keep your application safe. You should always check permissions, test for vulnerabilities with testing tools and keep an eye on your log files for suspicious activity. When designing your applications and web sites though, don’t make it easy for bad people to do bad things. Don’t use default or common names for your files and directories.

p. Do you have a security tip you would like to share? A nugget of security truth you have gleaned through research or life’s school of hard knocks? Log-in and click the contribute button in the upper right hand corner.

p. =C=

Published: March 6th, 2007 at 2:46
Categories: Uncategorized
Tags: Security Tips

← Zend Technologies Updates Zend Core with Enhanced PHP Support for Windows, Zend Framework, and Universal Database Support

OWASP Spring of Code 2007 →

7 comments to “PHP Security Tip #4”

_____anonymous_____
March 7th, 2007 at 3:10 pm

Would a common name be:

admin
password
private
protected

what else might come to mind?

admin
March 7th, 2007 at 3:24 pm

The two that come to mind for me are:

.htpasswd

passwd

Even putting them outside of your Apache root I wouldn’t use them.

=C=

_____anonymous_____
March 9th, 2007 at 4:34 pm

"config" or any of its variants seems like something to avoid.

sascha_leib
March 12th, 2007 at 4:34 pm

Of course, everybody should always try to keep the PHP scripts outside of the web server’s root. This is, however, not always possible.

I regularly give the php directory names like
* Luxmox45
* Padega23
and so on (I actually get them from a password generator script); Surely, nobody can guess these…

In addition, all these directories contain a very simple ‘index.php’ file which just sets a 404 error code (using the header command) and some text output that looks as if it came from the web server. So just *in case* somebody tried to find out where that goodies are hidden…

Any other ideas?

/sascha

neovov
May 27th, 2007 at 2:33 pm

I’ve made a French translation, available here : http://blog.neovov.com/index.php?2007/05/24/171-securite-php-astuce-4

neovov
May 27th, 2007 at 2:35 pm

I’ve made a French translation, available here : http://blog.neovov.com/index.php?2007/05/24/171-securite-php-astuce-4

jeffatrackaid
June 12th, 2010 at 5:12 pm

I am not a big fan of security through obscurity, but with web applications, I found a nice benefit.

Web app worms and scanning tools often look for specific versions, paths and files.

For example, I recently saw a worm targeted against a program. The scanner would look for a specific text string and then attempt an XSS exploit. If either you had the version string hidden or a non-default include directory, the scanner would have skipped your site and just moved to the next one.