Security risk to auto_prepend_file in Apache?

Question

I've implemented a PHP auto_prepend_file in Apache's httpd.conf file to password protect every page on the server. Let's assume the the prepended file is properly coded and secured. Are there any serious security risks to using an auto_prepend_file method? I'm worried this opens up some sort of cross scripting attack or access can spoofed. Thanks for the help :)

In httpd.conf:

php_value auto_prepend_file "path/to/application/auth/include/secure.inc"

Answer 1

My apache log shows attempts to access my server like this one (IP masked):

??.??.??.?? - - [10/Sep/2012:05:16:29 +0200] "POST /?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3D../ ../../../../../../../../../../../etc/passwd%00%20-n/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3D../ ../../../../../../../../../../../etc/passwd%00%20-n HTTP/1.1" 301 895 "-" "Mozilla/5.0"

This is a clear indication that hackers are using auto_prepend_file and allow_url_include.

Answer 2

As long as your script die() s properly if the user is not authenticated (also after header() redirects, very important!) there is no fundamental problem I can see with this.

The manual doesn't give much reason to worry either (emphasis mine):

The file is included as if it was called with the require() function, so include_path is used.

just be careful to always use an absolute path to avoid glitches with relative paths.

The only attack that I can think of is injecting a .htaccess file somewhere underneath the directory root that cancels the INI setting by setting

php_value auto_prepend_file none

so you should be careful not to accept file names for uploaded files from the user without filtering, for example.