3

I understand that having anything sensitive under webroot is not smart; someone may be able to access it via url. However, I do not have a choice with my web host (iPage) as they limit my server space to just the web root.

So my question is: how risky is it to just have sensitive files in a directory in a webroot with just simple forbidden public access? My gut says no, and any insight on this topic would be greatly appreciated.

Edit: The 'sensitive files' are an installer for our startup's software and the php files that allow the download / control sql access.

ink
  • 33
  • 4
  • What do you mean by `forbidden public access`? That Directory browsing is disabled or that they can't access the file even if they know the URL (e.g. guessed at `www.example.com/file.zip`) due to `401 Unauthorized` HTTP response? – SilverlightFox Sep 14 '14 at 08:20

2 Answers2

4

An attacker is going to use forced browsing to try and find sensitive files. DirBuster is very useful in performing forced browsing attacks, and it commonly finds sensitive files on my penetration testing engagements. DirBuster comes with a very large list of common file and directory names. If it's not a common file-name, DirBuster probably won't find it.

Having sensitive files accessible anywhere on your web-server is dangerous, there needs to be some form of access control in place.

rook
  • 46,916
  • 10
  • 92
  • 181
3

This is hard to answer without knowing how sensitive your files are. Think about it like this: how much is this data worth to you? If your data is worth more than what it would cost to switch to a proper hosting service, then you should just do that. Given what you are saying, it probably is, and you probably should.

I don't know what kind of data this is, so it's difficult to speculate on ways to protect it. If it's a sensitive customer list, maybe it should live on a well protected database. If it's sensitive personal information, maybe it should be encrypted. I just don't know without knowing more.

There are various ways of keeping people out of designated spots in any place on the server. My first instinct is to write rules for your server to follow. I imagine what you are trying to do is protect the files via .htpasswd on Apache. If that's the case, just make sure to have proper lock out rules, so that folks can't dictionary attack the site in a reasonable amount of time. There are other methods as well, but I'd still need to know what you were trying to protect first.

Of course, if you are on hosting where you don't have root access to the server, then you most likely can't edit the server configuration files. Again, the answer tends toward: buy more professional hosting.

MrSynAckSter
  • 2,020
  • 10
  • 16
  • Thank you so much for your informative answer. I am trying to protect our installer for our software and the php scripts that allow the download of said software. The scripts will have information such as root account/password for the SQL server. The software itself is a 120MB .msi file. – ink Sep 12 '14 at 16:22
  • Then yes, my recommendation would be to purchase more professional web hosting, and if you are selling the software, a full suite of cart software. Having information like your SQL server password is a publicly accessible folder is just asking for trouble, even if it is "well protected" - spend more now, cry less later. – MrSynAckSter Sep 12 '14 at 16:26
  • Thank you baordog! Any recommendation on a web host that you like would also be appreciated.. I was looking at bluehost and liked what I saw so far – ink Sep 12 '14 at 16:28
  • I'm not sure we're allowed to make vendor suggestions on here. Mods delete this comment if that's true. Try Amazon, or Digital Ocean. – MrSynAckSter Sep 12 '14 at 16:30