help with blocking "../" (like you use in html)

[john alabama]

hello,I'm trying to make something whith php and my question is if there is a way to disable the "../" (that get u a pass to the upper directory) with the panel?,htaccess?,anything...
thx for the help

one more thing...if someone can tell me how you call this "../"
in the professional language

 

[squirrelhost]

' directory traversal '

mod_security can block requests
attempting such, could use that
or google for more info

 

[john alabama]

' directory traversal '

mod_security can block requests
attempting such, could use that
or google for more info

can I do this without having my own server?...with htaccess or something? and do this one a specific directory that you could not access her with the "directory traversal"?

 

[squirrelhost]

in a well-configured system, you'd not
be able to read files outside your own
web document directory.

i.e

http://www.blogs.com

is fine but,

http://www.blogs.com/../mail/

would hopefully fail.

you could place an .htaccess file in

the /mail/ dir above, denying access to
all, or admitting a trusted user.

 

[john alabama]

in a well-configured system, you'd not
be able to read files outside your own
web document directory.

i.e

http://www.blogs.com

is fine but,

http://www.blogs.com/../mail/

would hopefully fail.

you could place an .htaccess file in

the /mail/ dir above, denying access to
all, or admitting a trusted user.

i think u didnt anderstand me,lets say that i gave someone a FTP access to a specific directory and i want that he cant go to the upper directory with he's scripts...i.e:

include "../index.php";

lets say that i in the public_html directory and he is in public_html/him..
i don't want that he will be able to access my directory with "../"

 

[squirrelhost]

if your domain is bloggs.com, username bloggs,

go to ftp management, create ftp account

select 'custom' path, and put

/home/bloggs/domains/bloggs.com/public_html/whatever

then when user logs in, he's in the 'whatever'
directory, and cannot move up directories.

and you would need an .htaccess file
in the upper directory, or manipulate permissions
on the directories, presumably so that a file
in your public dir can include what's in the subdir,
but not vice versa

 

[john alabama]

if your domain is bloggs.com, username bloggs,

go to ftp management, create ftp account

select 'custom' path, and put

/home/bloggs/domains/bloggs.com/public_html/whatever

then when user logs in, he's in the 'whatever'
directory, and cannot move up directories.

and you would need an .htaccess file
in the upper directory, or manipulate permissions
on the directories, presumably so that a file
in your public dir can include what's in the subdir,
but not vice versa

from some reson the panel`server doesnt create me a htaccess file in the public_html as you sad it will ....:\..
if you can tell me what to write...it will be super..

 

[squirrelhost]

what do you wish the .htaccess file to permit ?

(or deny )


i just went to a user-level on a server,
clicked on
Password Protected Directories
then on
Find a Directory to Password Protect

then I went up a level,
and clicked the 'protect' link for
public_html . should work for you (?)

 

[john alabama]

what do you wish the .htaccess file to permit ?

(or deny )


i just went to a user-level on a server,
clicked on
Password Protected Directories
then on
Find a Directory to Password Protect

then I went up a level,
and clicked the 'protect' link for
public_html . should work for you (?)

no,i want to block a directory for the script can't get files from the upper directory but,i want that the bouth directory can shown without a pass/something...

 

[squirrelhost]

would defnitely be easer to get another
$1/month hosting account for your
friend ! maybe it's $1/year these
days for shared hosting ?

 

[john alabama]

would defnitely be easer to get another
$1/month hosting account for your
friend ! maybe it's $1/year these
days for shared hosting ?

LOL..
it's for a script i'm developing...(details->p.m)

 

[nobaloney]

John,

the ../ directory is called "the parent directory" of your "current directory"..

For a website using http the ultimate parent directory (root directory) for a website on a DA server is defined as public_html. For a website using https the root directory for a website on a DA server is defined as private_html.

For ftp it's defined as whatever you set it up for.

On a DirectAdmin server neither http, https, or ftp protocols can move to, or see a file/directory originating above your root directory.

By default PHP uses safe_mode, and open_basedir is turned off, so PHP cannot acces a file/directory originating above your root directory.

Perl programs can but are probably limited to those files being owned by the website user.

SSH logins can look at any directory/file on the server, depending on the login identity and directory/file rights/ownership.

What else are you asking?

Jeff

 

[john alabama]

John,

the ../ directory is called "the parent directory" of your "current directory"..

For a website using http the ultimate parent directory (root directory) for a website on a DA server is defined as public_html. For a website using https the root directory for a website on a DA server is defined as private_html.

For ftp it's defined as whatever you set it up for.

On a DirectAdmin server neither http, https, or ftp protocols can move to, or see a file/directory originating above your root directory.

By default PHP uses safe_mode, and open_basedir is turned off, so PHP cannot acces a file/directory originating above your root directory.

Perl programs can but are probably limited to those files being owned by the website user.

SSH logins can look at any directory/file on the server, depending on the login identity and directory/file rights/ownership.

What else are you asking?

Jeff

first of all 10x.
now,i didn't understend this

By default PHP uses safe_mode, and open_basedir is turned off, so PHP cannot acces a file/directory originating above your root directory.

this mean that i can block or can't?..i would love to tell you about my project and than you maybe understend me well and versa.

 

[nobaloney]

It means you shouldn't have to, by default PHP should not be able to do what you're afraid of.

At least that's my understanding.

Please do not send me anything that would require a nondisclosure.

Please post anything here and as time and resources permit, I will reply and or comment.

Otherwise you can always contract with us and I'll have one of our PHP experts work for you.

Jeff