I am working on securing my web server.
I do not want people to be able to execute files they shouldn't.
I was told that I should deny all and whitelist files that could be executed.
That works. Problem is when i access my domain.com it wont execute example.com/index.php . if i type example.com/index.php it works.
here is my htaccess file
Options -Indexes
Order deny,allow
Deny from all
<Files /index.php>
Allow from all
</Files>
<Files "index.php">
Allow from all
</Files>
<Files "teacher_login.php">
Allow from all
</Files>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
You know what's a better way to prevent people from executing scripts they shouldn't?
Don't put them on the Web at all.
Put these scripts outside of public_html on your server, and suddenly nobody can access them! No need for .htaccess hacks like what you're trying. And better still, they're still accessible for the server itself - eg.
require($_SERVER['DOCUMENT_ROOT']."/../hidden-scripts/something.php");
Much better.
Related
I want to block HTTP access to every file in my project directory except PHP scripts located in the root folder (not subfolders).
My current .htaccess file looks like this :
# Disable Directory Listings in this Directory and Subdirectories
# This will hide the files from the public unless they know direct URLs
Options -Indexes
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^api/(.*)$ api.php/$1 [QSA,L]
</IfModule>
# Deny all files from being accessed with Apache
Order Deny,Allow
Deny from all
# Allow specific PHP files at root
<FilesMatch "/(api|cron|status)\.php$">
Order Allow,Deny
Allow from all
</FilesMatch>
This mostly works, except for the URL rewriting on the api.php script. I've tried changing the FilesMatch regexp to /(api|cron|status)(\.php)?$, but it keeps on throwing me a 403 response.
Anyone can explain to me what I did wrong here ? I'm usually OK with regexp, but this has got me thinking Apache doesn't process them like everyone else...
Deny from all
<FilesMatch "^(api|cron|status)\.php$">
Order Allow,Deny
Allow from all
</FilesMatch>
And I guess make sure your .htaccess is on the root level.
I am having a problem , I am a great supporter of .htaccess , but I have taken a yahoo small business hosting for one of my Project, which currently dont supports .htaccess rewrite, so I am looking for some best option to mimic the same functionality with php instead of .htaccess
So , I can redirect all request to index.php with the following code, Reference
if(basename($_SERVER['REQUEST_URI']) !== 'index.php'){
header("location:index.php");
exit();
}
Now I want to implement other functionality in php too, like denial of directory access, and allowing only css , jss , image file etc direct access.So please suggest me some optimised and feasilble way to achieve this. Here is .htaccess for reference
RewriteEngine on
RewriteBase /
SetEnv APPLICATION_ENV development
#SetEnv FACEBOOK_APP_ID 4343434343
#SetEnv FACEBOOK_APP_SECRET d00b24f1344334833c90f0795ebe
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ /index.php?url=$1 [L,QSA]
# This denies all web access to your .ini file.
<Files ~ "\.(php|ini|log|htm)$">
Order allow,deny
Deny from all
</Files>
<FilesMatch "^(index\.php)?$">
Allow from All
</FilesMatch>
<files config.base.ini>
order deny,allow
deny from all
</files>
<files errorlogs.log>
order deny,allow
deny from all
</files>
PS :FB SECRET ID AND CREDENTIALS ARE DUMMY
I've the following structure for my MVC php application.
/
/Models/
/Views/
/Content/
/libs/
index.php <-- Controllers
admin.php
blog.php
Basically I want people to allow acces .php files in the root directory. (index.php, admin.php)
For example allow only acces to index.php
<Files *.php>
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
</Files>
<Files index.php>
Order Allow,Deny
Allow from all
</Files>
For some strange reason people can acces URL's like index.php/index.php/index.php
or blog.php/test/ it will display the output page but it doesn't render properly.
Why is this happaning?
For some strange reason people can acces URL's like index.php/index.php/index.php
It's not a BUG, it's a FEATURE ;)
This is actually an apache feature. Apache allow addtional path information after the script name. In php you can acesss this value from $_SERVER['PATH_INFO']
The URL index.php/a/b will run the script index.php and you will get "a/b" in PATH_INFO
How to disable this type of URL
To disable such url you need to disable "AcceptPathInfo" in apache configuration
<Files "*.php">
AcceptPathInfo Off
</Files>
You can find more about AcceptPathInfo in http://httpd.apache.org/docs/2.2/mod/core.html#acceptpathinfo
Basically I want people to allow acces .php files in the root directory. (index.php, admin.php)
Instead of <Files> directive use mod_rewrite for finer control:
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/(index|admin)\.php$ [NC]
RewriteCond %{THE_REQUEST} \.php[\s?/] [NC]
RewriteRule ^ - [F,NC]
/index.php/index.php/index.php isn't a valid path. The root /index.php is still the one that is being run by the server. However the browser isn't smart enough to know this so if you paths to css and image files are relative it is now looking for them in the wrong places that is why your page isn't rendering properly.
So as far as the server is concerned www.test.com/index.php/index.php/index.php is the same as calling www.test.com/index.php
But for the browser if you had this in your html header <link href="css/style.css" rel="stylesheet" type="text/css"> it is now trying to find it in www.test.com/index.php/index.php/css/style.css and of course it doesn't exist there.
In my .htaccess file, I am using the below to prevent direct access to folders:
Options -Indexes
I am using the below to prevent access to a critical file of ours:
<Files admin.php>
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
Allow from (my ipaddress)
</Files>
So, now users cant go to www.domain.com/scripts as it throw 404 error, nor can they access admin.php
But how do I prevent direct access to all?
For example, if someone knew the filename, they can still get to it, such as: www.domain.com/scripts/process.php
What to do?
Using mod_rewrite:
Put this rule on top of all other rules:
RewriteRule ^scripts(/.*|)$ - [F,NC]
Without using mod_rewrite:
Put this code in scripts/.htaccess:
Order Deny,Allow
Deny from all
UPDATE: To block direct access to all files:
# If the request is for a valid file
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{THE_REQUEST} \..+[\s?]
# return forbidden error if not static files
RewriteRule (?!^.+\.(?:jpe?g|gif|bmp|png|tiff|css|js)$)^.*$ - [F]
I have a page running on phpbb where I want to disable registrations from certain counteries. I've ended up with this
<Files "ucp.php">
Order Allow,Deny
Allow from all
SetEnvIf GEOIP_COUNTRY_CODE {country} BlockCountry
Deny from env=BlockCountry
</Files>
as you can see I'm using geoip to detect the country. But now the problem is that this piece of code disallows already registered users to login from those countries, but I want just the registration part which is ucp.php?mode=register.
This however doesn't work even with backslashes so I don't know how make it work.
Thanks for your help
You could do something like this in your .htaccess
RewriteEngine on
RewriteCond %{ENV:GEOIP_COUNTRY_CODE} ^(CA|US|MX)$
RewriteCond %{QUERY_STRING} ^(.*)mode=register(.*)$ [NC]
RewriteRule ^ucp.php$ deny_page_for_other_countries.php [L]