Jump to content
Bob Crabb

Error Log File In Public Html?

Recommended Posts

I just noticed on one of my sites that there was an error log file in the public_html directory. I submitted at ticket, asking that it be placed up one level so that this information would not be publicly accessible, and was told that this was the way the server was configured to write the file into that directory.

 

Thinking that this might have been a mistake in the way that the server was configured in the last php upgrade, I went to another site on a different server, edited a script to force an error, and saw that the error log file on that server was also put into the public html directory.

 

Isn't this a potential security risk since a nice summary of error messages can give information about the script structure to a potential hacker? Shouldn't this file be written into a directory that is at least one level up from public_html?

Share this post


Link to post
Share on other sites

There should be no information in the error file that would pose a security risk. And someone would have to know the url to the error file to see it.

Share this post


Link to post
Share on other sites

It is possible to disable the error reporting on shared server accounts by creating a php.ini inside /home/user and add the lines

 

>
display_errors = Off
display_startup_errors = Off
log_errors = Off

 

 

And add the following line on /home/user/.htaccesss

 

>
suPHP_ConfigPath /home/user

 

Note : be sure to change "user" with correct cPanel user name.

Share this post


Link to post
Share on other sites

Three possible ways to deal with this:

 

1) No error logging (as per TCH-Alex's instructions).

 

2) Error log in /public_html/ where it is now, but protected from web access.

Add to .htaccess:

 

># In place of error.log, use whatever is the actual name of your error log.
<Files error.log>
order allow,deny
deny from all
</Files>

 

3) Error log in a custom location:

First create the desired folder.

Then add to /public_html/php.ini (again using the real file name instead of error.log):

 

>error_log = /home/USERID/public_html/path/to/error.log

 

The example shows where public_html belongs in the path, but you could truncate the path to put the file outside public_html.

 

If, on the other hand, you put the log file in its own folder that is within public_html, you can protect that whole folder from web access:

Create an .htaccess in that folder, and put this code in it:

 

>order allow,deny
deny from all

Share this post


Link to post
Share on other sites

Thanks everyone for the replies and suggestions. I like having the log available to me since ultimately I want to correct whatever condition triggered the errors, but I still think that it would have been a cleaner implementation to place it somewhere other than the public_html root directory. But, since the servers are set up that way, I think what I will do is follow Steve's suggestion of protecting it from access via .htaccess.

 

Thanks again,

Bob

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×