So, I was trying to upload PHP files into Apache server, and whenever I browse the file I get 403 error due to htaccess limitations. It turns out that the server only accepts certain files such as "gif|jpg|png|mp4" and other image files.
Is there any way to bypass this?
NOTE **: I tried the old ways,**PHP, Phtml .. it didn't work.
Is there any way to bypass this?
Not unless you edit the .htaccess file or find a vulnerability in Apache.
Note that simply uploading a PHP file doesn't mean the server can execute it. The server needs to have the right software installed and Apache needs to be configured to handle PHP files. You can't just drop a PHP file in there and expect it to work, regardless of what the .htaccess file says.
Related
I am trying to upload my new website (codeigniter project) to the server. .htaccess file is used in my project and it is working properly in localhost. Also, i can upload the file too, but after uploading, it is not working. I always need to add the 'index.php' in url. I can't see the .htaccess file and when i trying to upload it again, it is showing the message, the file is alredy exist. Do anyone know the reason?
Try using FileZilla and enable hidden files to be visible:
Open FileZilla FTP client.
From the Menu bar choose Server
Select Force Showing Hidden Files which should be the last option.
One other thing to check is if you're using Apache or Nginx because Nginx does not support the .htaccess file
I am using winSCP(FTP software) to upload my .htaccess. As you mentioned you are not able to view it. However when you try to create a new file through winScp, the file will be automatically loaded to your text editor.
I am not sure if other FTP software works the same.
The file exists, but is hidden.
Probably the user on whose log does not have permission to replace him.
remove .htaccess file from your server , but before make sure that that file is no more useful for you .
other way
open the hosting server .htaccess file in online editor of cpanel
now copy past your htaccess file codes which required to be change.
As mentioned in the comments, it could be that the server is running for example Nginx instead of Apache.
However, I think the most likely cause for the .htaccess file not having an effect is a configuration issue. It could be that .htaccess functionality is disabled either in config you can manage, or in the server's config.
Contact your webhost to resolve this issue.
I know it a silly question but last night when I was working with my website's .properties file, I discovered this idea. I am using PHP script for my website where I have stored all my site properties values like image path, secure path.. etc in website.properties file. But I need to include this .properties file in each and every webpages to access the values in it.
My question is, like .htaccess file, can I add this .propeties file into server configuration? Is there any option available to sync this file with server configuration? Is Apache allowing us to do? In this case I don't need to add this file in every pages.
Look to the side of enviromental variables in Apache and PHP:
http://php.net/manual/en/function.apache-getenv.php
http://www.php.net/manual/en/function.apache-setenv.php
http://httpd.apache.org/docs/2.2/env.html
I'm having some trouble with .php files which seem to download when I open them in the browser.
I've googled around and have found this is because the server doesn't know how to parse the file, and that I need to add something to make this work.
I've read around and it seems I need to add something to a .htcaccess file, but I'm not sure where this is or where I should create it.
Below is a screenshot of the directories on my server if anyone can help me.
You mean something like
AddHandler x-httpd-php5 .php
...this should already be in place in the master Apache file (or the appropriate .conf include - in some distributions, configuration directives may be parceled between several configuration files) if PHP is properly installed.
you dont need to generate a htaccess file for this issue, if you installed a web server and php and configured them properly.
So basically I need a way to take an exe file on my server and make a php function to toggle it's availability. I do not want to just rename, move, or delete the file, but redirect to a page explaining the file is temporarily unavailable.
I know how to set a permanent redirect in .htaccess but this doesn't solve my problem since I'd like to make this automated via a php script....
Any suggestions? Thanks in advance.
You won't be able to do this with PHP alone unless your web server is set up to process requests for .exe files as .php, or you add a rule in .htaccess. If the file exists, and .htaccess/server settings allow direct access to files, there's nothing PHP can do to stop access to it.
Honestly the simplest way would probably be to write a PHP script that edits your .htaccess file and reloads it in apache. You could just run that script whenever you needed to enable/disable access.
I am a PHP newbie and a have a php security question. Is it possible for somebody to get the source code of a php script file running on a server with default configuration? If so, what is the best way to be protected? I am asking this because I happened to download a php file when I requested a page from a site and what triggered my concerns. I think that maybe apache configuration was wrong and served that file to me like a simple file but I am not sure. Also what is the best place to keep "sensitive" data such as database or smtp configuration?
Thank you,
Alex
For the most sensitive information, I'd suggest putting it outside of your web root folder, and including it through "require" or "include". This way, even is some configuration gets botched on the server, the visitor will only get served the line "include('secret_stuff.php');" and not the actual script.
Exactly what David Dorward said but i would advise you take a look at the following patch(s) that would modify apache to not send source code's regards if there is a misconfiguration.
http://mirror.facebook.net/facebook/patches/ap_source_defense.patch
Patch like so:
cd apache-1.3.x
patch -p1 -i ap_source_defense.patch
More Patches from Facebook Development Team: http://mirror.facebook.net/facebook/patches/
The best way to protect your much needed source is to place them outside the public root directory, as if apache is running it will not be able to serve files directly from the folder up public_html
for example:
C:/server/apache/
C:/server/apache/htdocs/
C:/server/apache/htdocs/includes/
People can specifically view the files my going to
http://hostname.tld/includes/
but having the directory structure of:
C:/server/apache/
C:/server/apache/includes/
C:/server/apache/htdocs/
and then within
C:/server/apache/htdocs/index.php
you have
<?php
require_once('../includes/config.php');
?>
this should protect all major files bar the view file (index.php)
If the server is not configured to handle PHP files, then it will treat them like any other unknown file (and serve them as either text/plain or application/octet-stream.
PHP support is, as far as I know, always provided as an extension or external program (for CGI, FastCGI, etc) and never as a built in for an HTTP server.
If the server is properly configured to run PHP code, then people without direct access to the server cannot view the PHP source code. You don't have to do anything else.
It is only because that server was not configured to run PHP, and instead served it as text, that you could see the source.
If you have this line in your apache.httpd.conf file,
AddType application/x-httpd-php .php
Apache should deal with data, rather than showing them...
Also you need to start php services.
What you describe as "default configuration" is a webserver without php installed (or with php disabled). In these cases, it is certainly possible to download the php script.
Make sure php is installed (as it will be on ~100% of production php servers) and/or block access to your configuration file with an .htaccess file like this:
<FilesMatch "^config.php$">
Order allow,deny
Deny from all
</Files>
If you want to be extra-tricky (and work even on servers where .htaccess files are ignored), prefix the configuration file with .ht, like .ht.config.php. Most Apache(and some other webserver) configurations will refuse serving files beginning with .ht. However, in general, the only way you could be sure no webserver serves your file is to move it to a directory outside of the server's document directory. On most hosts you or your php script won't be able to access those though.
Your second problem are misconfigurations. There's not much you can do, albeit there might(?) be options to construct a rewriterule to prevent accidential accessibility.
The best prevention however is to keep all scripts outside of the DOCUMENT_ROOT. Just leave a single index.php there, and include all dependencies from there. This is also the best strategy to avoid leaking of configuration data (also don't use ini files for sensitive data, but always .php scripts).
Another worry are shared hosting servers however. All concurrent users on a server can read out your scripts (if not through PHP then via Perl/bash CGIs). Nothing you can do about that, unless you change to a professional hoster which supports running everthing through suexec and thus allowing individual permissions.
Well, "default configuration" is a vague term, but as long as the web server is configured to parse .php files through PHP, you should be fine from that angle. If your scripts themselves happen to parse other PHP files (for eg. a template system) then you need to make sure there aren't any loopholes in that too, since the PHP scripts have full access to your files on the server.
Assuming these are taken care of, you don't need to keep the "sensitive" data in any special place -- just put them in your .php files, but make sure all your scripts end in .php (for eg. config.inc.php) so that they are always parsed via PHP and not sent as plain text.