Jump to content

Recommended Posts

Posted

I just noticed on one of my sites that there was an error log file in the public_html directory. I submitted at ticket, asking that it be placed up one level so that this information would not be publicly accessible, and was told that this was the way the server was configured to write the file into that directory.

 

Thinking that this might have been a mistake in the way that the server was configured in the last php upgrade, I went to another site on a different server, edited a script to force an error, and saw that the error log file on that server was also put into the public html directory.

 

Isn't this a potential security risk since a nice summary of error messages can give information about the script structure to a potential hacker? Shouldn't this file be written into a directory that is at least one level up from public_html?

Posted

It is possible to disable the error reporting on shared server accounts by creating a php.ini inside /home/user and add the lines

 

>
display_errors = Off
display_startup_errors = Off
log_errors = Off

 

 

And add the following line on /home/user/.htaccesss

 

>
suPHP_ConfigPath /home/user

 

Note : be sure to change "user" with correct cPanel user name.

Posted

Three possible ways to deal with this:

 

1) No error logging (as per TCH-Alex's instructions).

 

2) Error log in /public_html/ where it is now, but protected from web access.

Add to .htaccess:

 

># In place of error.log, use whatever is the actual name of your error log.
<Files error.log>
order allow,deny
deny from all
</Files>

 

3) Error log in a custom location:

First create the desired folder.

Then add to /public_html/php.ini (again using the real file name instead of error.log):

 

>error_log = /home/USERID/public_html/path/to/error.log

 

The example shows where public_html belongs in the path, but you could truncate the path to put the file outside public_html.

 

If, on the other hand, you put the log file in its own folder that is within public_html, you can protect that whole folder from web access:

Create an .htaccess in that folder, and put this code in it:

 

>order allow,deny
deny from all

Posted

Thanks everyone for the replies and suggestions. I like having the log available to me since ultimately I want to correct whatever condition triggered the errors, but I still think that it would have been a cleaner implementation to place it somewhere other than the public_html root directory. But, since the servers are set up that way, I think what I will do is follow Steve's suggestion of protecting it from access via .htaccess.

 

Thanks again,

Bob

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...