Large amounts of sensitive data is stored on a server, these could include login credentials, source code and others. This data is generally stored in a way that is not accessible to the end user, but as all of it is required by the application to run there is an inherit danger. The application needs to make use of this data to execute correctly and therefore it must be accessible from the application. Below is one example where this data has been exposed.

MySQL Credentials


MySQL login files are generally stored in a separate file to the rest of the application logic, mainly for convenience. In this example the developer has opted to store the server details in a file called containing the following:
<?php $user = 'username'; $pass = 'Passw0rd'; $host = 'localhost'; mysql_connect($host, $user, $pass) or die(mysql_error()); ?>

With the details above an attacker could gain access to your MySQL server and have the same privileges that your application does. Their inclusion within the source code is an obvious risk, but an unavoidable one. There is no default type set for .inc files on a Apache server so it will default to text/plain. This causes even greater concern, if the file is stored in document root, as anyone accessing the file will be able to see its entire contents in plain text. For example if the file was stored in /www/inc/ then a user visiting will be have access to the login credentials for the MySQL server.


There are a number of very simple solutions to this problem. The first and most obvious is to move the file out of the root directory. As long as the web server has read privileges on the file this should work fine. Best practice is to keep files that are not to be directly accessed via a URI out of the root directory. Every file that is with that root directory has a URL and therefore is accessible (unless configured otherwise).

The second and easier solution is to change the extension to PHP, seeing as this file contains PHP code after the file is executed the details will not be visible. Please see previous suggestion as to why, although fixing the problem is not necessarily to best idea.

If for whatever reason you are prevented from using the initial solutiont then you can configure your server to reject requests to this file. We can assume that any request to files with the extension inc can be denied as they are only used in conjunction with other scripts. An example solution for Apache:
<Files + "\.inc$"> Order allow,deny Deny from all </Files>