The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Does the public_html/error_log file pose any security issues?

Discussion in 'Security' started by wert, May 12, 2016.

  1. wert

    wert Registered

    Joined:
    May 12, 2016
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I've been monitoring website for file changes and frequently, i've seen public_html/error_log file changing. I have found out that it's the web server that generates it. Since it's in public web space, is it security risk to be there? I read somewhere that file inclusion impact varying based on the exploitation and the read permission of the web server user, can make an attacker to harvest useful information from log files. According to my observation, majority of log files unrelated to the website such as it's CMS, are commonly found in other directories out of the public_html directory, and I imagine there is much more security in non public web space directories and files since accessing those areas is impossible even in a web browser right? Thanks in advance for your help.
     
  2. ElviCities

    ElviCities Member

    Joined:
    Aug 9, 2012
    Messages:
    15
    Likes Received:
    5
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Twitter:
    With a standard installation, you shouldn't be generating any error_log in your public_html directory. Something else must have been installed, such as a CMS, that is generating application specific error logs. Otherwise your logs should be in either
    /var/logs
    or
    /usr/local/apache/logs
     
    satyamseo likes this.
  3. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    941
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    PHP itself will frequently make error_log files in whatever directory the script is in.

    That said, a standard httpd.conf on a cPanel system should already contain this entry to block public disclosure of those files. You should not need to add this yourself.

    Code:
    <Files ~ "^error_log$">
      Order allow,deny
      Deny from all
    
      Satisfy All
    </Files>
    
    As long as you get denied by Apache when trying to load site.com/error_log then you are OK. If someone malicious has already gained enough access to read the error_log file through another means, the error_log files are the least of your worries.
     
  4. Richardbt71

    Richardbt71 Registered

    Joined:
    Apr 4, 2013
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Reseller Owner
    The error_log located there, and sub-directory, is where PHP logs errors. Just because it is in public directory, does not mean everyone can access it. Try it. When I do it, I get an 403,
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,762
    Likes Received:
    662
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    Yes, as mentioned, there's an entry in the Apache configuration file by default to block requests to that file name:

    Code:
    <Files ~ "^error_log$">
        Order allow,deny
        Deny from all
        Satisfy All
    </Files>
    Thank you.
     
Loading...

Share This Page