Bob Crabb Posted September 11, 2010 Posted September 11, 2010 I just noticed on one of my sites that there was an error log file in the public_html directory. I submitted at ticket, asking that it be placed up one level so that this information would not be publicly accessible, and was told that this was the way the server was configured to write the file into that directory. Thinking that this might have been a mistake in the way that the server was configured in the last php upgrade, I went to another site on a different server, edited a script to force an error, and saw that the error log file on that server was also put into the public html directory. Isn't this a potential security risk since a nice summary of error messages can give information about the script structure to a potential hacker? Shouldn't this file be written into a directory that is at least one level up from public_html? Quote
TCH-Bruce Posted September 11, 2010 Posted September 11, 2010 There should be no information in the error file that would pose a security risk. And someone would have to know the url to the error file to see it. Quote
TCH-Alex Posted September 12, 2010 Posted September 12, 2010 It is possible to disable the error reporting on shared server accounts by creating a php.ini inside /home/user and add the lines > display_errors = Off display_startup_errors = Off log_errors = Off And add the following line on /home/user/.htaccesss > suPHP_ConfigPath /home/user Note : be sure to change "user" with correct cPanel user name. Quote
SteveW Posted September 17, 2010 Posted September 17, 2010 Three possible ways to deal with this: 1) No error logging (as per TCH-Alex's instructions). 2) Error log in /public_html/ where it is now, but protected from web access. Add to .htaccess: ># In place of error.log, use whatever is the actual name of your error log. <Files error.log> order allow,deny deny from all </Files> 3) Error log in a custom location: First create the desired folder. Then add to /public_html/php.ini (again using the real file name instead of error.log): >error_log = /home/USERID/public_html/path/to/error.log The example shows where public_html belongs in the path, but you could truncate the path to put the file outside public_html. If, on the other hand, you put the log file in its own folder that is within public_html, you can protect that whole folder from web access: Create an .htaccess in that folder, and put this code in it: >order allow,deny deny from all Quote
Bob Crabb Posted September 19, 2010 Author Posted September 19, 2010 Thanks everyone for the replies and suggestions. I like having the log available to me since ultimately I want to correct whatever condition triggered the errors, but I still think that it would have been a cleaner implementation to place it somewhere other than the public_html root directory. But, since the servers are set up that way, I think what I will do is follow Steve's suggestion of protecting it from access via .htaccess. Thanks again, Bob Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.