I've the following structure for my MVC php application.
/
/Models/
/Views/
/Content/
/libs/
index.php <-- Controllers
admin.php
blog.php
Basically I want people to allow acces .php files in the root directory. (index.php, admin.php)
For example allow only acces to index.php
<Files *.php>
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
</Files>
<Files index.php>
Order Allow,Deny
Allow from all
</Files>
For some strange reason people can acces URL's like index.php/index.php/index.php
or blog.php/test/ it will display the output page but it doesn't render properly.
Why is this happaning?
For some strange reason people can acces URL's like index.php/index.php/index.php
It's not a BUG, it's a FEATURE ;)
This is actually an apache feature. Apache allow addtional path information after the script name. In php you can acesss this value from $_SERVER['PATH_INFO']
The URL index.php/a/b will run the script index.php and you will get "a/b" in PATH_INFO
How to disable this type of URL
To disable such url you need to disable "AcceptPathInfo" in apache configuration
<Files "*.php">
AcceptPathInfo Off
</Files>
You can find more about AcceptPathInfo in http://httpd.apache.org/docs/2.2/mod/core.html#acceptpathinfo
Basically I want people to allow acces .php files in the root directory. (index.php, admin.php)
Instead of <Files> directive use mod_rewrite for finer control:
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/(index|admin)\.php$ [NC]
RewriteCond %{THE_REQUEST} \.php[\s?/] [NC]
RewriteRule ^ - [F,NC]
/index.php/index.php/index.php isn't a valid path. The root /index.php is still the one that is being run by the server. However the browser isn't smart enough to know this so if you paths to css and image files are relative it is now looking for them in the wrong places that is why your page isn't rendering properly.
So as far as the server is concerned www.test.com/index.php/index.php/index.php is the same as calling www.test.com/index.php
But for the browser if you had this in your html header <link href="css/style.css" rel="stylesheet" type="text/css"> it is now trying to find it in www.test.com/index.php/index.php/css/style.css and of course it doesn't exist there.
Related
I want my application to allow pages to be accessed / referenced only from the application pages rather than from external addresses. with the exception of the main(index.php) page that will serve as access to the application. So for example if i build an html file in my desktop with a link or form to the destination of the application pages i want it to redirect to index.php.
How can i do this?
I tried to add this rows .htaccess
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
Allow from ::1
<Files /index.php>
Order Allow,Deny
Allow from all
</Files>
<FilesMatch ".*\.(css|js)$">
Order Allow,Deny
Allow from all
</FilesMatch>
But this didn't work because the desktop file was still in my server .
Edit 2:
I edited the .htaccess file to this and now it works
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(www\.)?localhost [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?localhost.*$ [NC]
RewriteCond $1 !^(index\.php)
RewriteRule ^(.*)$ http://localhost/website/index.php [R,L]
If you mean that you don't want your pages like config.php, x.php, etc. to be accessed directly through browser then you can simply define a constant on index.php page and check its existence on any other PHP file.
In case you want your forms to submitted only through index.php, then the only solution is to use a changeable CSRF token, generated by index.php and valid only for one time usage. That way you'll make sure that no-one can just clone the form inputs and spam you with requests from another server.
Still it's very difficult to totally prevent anyone from sending you requests from outside your server. A go-around techniques can be used to bypass token validation. Attackers can simply send a CURL request to fetch a new token then placing it automatically into the form and sending the request from outside
the server.
I am working on securing my web server.
I do not want people to be able to execute files they shouldn't.
I was told that I should deny all and whitelist files that could be executed.
That works. Problem is when i access my domain.com it wont execute example.com/index.php . if i type example.com/index.php it works.
here is my htaccess file
Options -Indexes
Order deny,allow
Deny from all
<Files /index.php>
Allow from all
</Files>
<Files "index.php">
Allow from all
</Files>
<Files "teacher_login.php">
Allow from all
</Files>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
You know what's a better way to prevent people from executing scripts they shouldn't?
Don't put them on the Web at all.
Put these scripts outside of public_html on your server, and suddenly nobody can access them! No need for .htaccess hacks like what you're trying. And better still, they're still accessible for the server itself - eg.
require($_SERVER['DOCUMENT_ROOT']."/../hidden-scripts/something.php");
Much better.
I'm having a problem with .htaccess and PHP-files in a sub folder. What I'm trying to achieve is to prevent anyone from being able to access any file in my sub folder - BUT I want my index.php to be able to access those files.
DOCROOT/subfolder -> www.somewebsite.com/subfolder/somefile.php
-> Access Denied
BUT
[index.php]
<form action="/subfolder/somefile.php">
...
</form>
-> Success!
I would love to solve this by just using .htaccess. I tried deny from alland also some RewriteRules but those Rules also kill any request from index.php.
I tried
Order deny,allow
Deny from all
Allow from 127.0.0.1
Allow from somewebsite.com
Satisfy Any
but the request from index.php is being denied. Can anyone help, please?
This is a misconception that people have. Just because you're linking to PHP files from another PHP file doesn't mean the index.php file is accessing them. The end-user/browser is still accessing them, it's just it's being told where to go by your index.php file. Has absolutely nothing to do with how it's being accessed. In both of your cases, they're being accessed by the browser.
The best you can do is to look at the referer field. It can be easily forged to get around this, but it's the only thing you can do.
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^https?://(example.com|127\.0\.0\.1) [NC]
RewriteRule ^subfolder/ - [L,F]
where "example.com" is your site.
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://www.hello.com/index.php
RewriteRule .*subfolder/somefile\.php - [NC,F]
The second line checks whether the visitor is not coming from a certain url. The 3rd line blocks them from accessing somefile.php
In your .htaccess you could redirect any requests to files inside that directory other than index.php as follows:
<directory "DOCROOT/subfolder">
RewriteCond %{REQUEST_FILENAME} !=/DOCROOT/subfolder/index.php
RewriteRule ^/(.+)$ redirect.php [L]
</directory>
I have the following in a .htaccess file on my server:
<Files index.php>
Order Deny,Allow
Deny from All
Allow from 80.168.22.149
</Files>
The .htaccess is located in a subdirectory, at www.example.com/subdir/.htaccess
The index.php file is located in the same subdirectory.
It gives the usual error if I try and access the page from another IP:
Forbidden
You do not have permission to access this document.
However, when I try and access a subdirectory such as /subdir/images, I get the same error. This error appears if I try and access from an allowed OR disallowed IP address. I thought that the <Files> limitation would only disallow access to the specified files?
I need to be the only IP address that can access index.php, but I need to be able to link to subdirectories within /subdir/ and let anyone view them.
Rather than <Files> directive you can use this rewrite rule in /subdir/.htaccess:
RewriteEngine On
RewriteBase /subdir/
RewriteCond %{REMOTE_HOST} !=80.168.22.149
RewriteRule ^index\.php$ - [F,NC]
The problem with your <Files> directive is that it is matching every index.php including the index.php files in the sub directories.
The only way around this is to use a <Location> directive instead, but you're not able to use that in a .htaccess file.
You would need to edit the Apache configuration file instead and add the <Location> directive in there inside the <VirtualHost> directive for the domain
I have mp3's in a directory called /mp3/ and I want to be able to access them only from another page.php in another directory /main/ on the site.
No direct linking from outside.
All of the pages are written in php
I put this code in the .htaccess file inside the /mp3/ directory...
Order deny,allow
deny from all
allow from 127.0.0.1
allow from localhost
allow from mydomain.com
allow from 123.45.678.90 # that's myserver's IP address (real one used in code)
Satisfy Any
But none of those work.
It does work however if I use the IP address of were I am.
allow from 1.2.3.4 # my internet connection (real one used in code)
But that means it would work for anyone and their IP address.
What am I missing here? Does this work only on certain servers?
How do I make it use the server's IP address and not my IP address?
Look into "hotlink protection" added to your .htaccess file. You can set it up for just .mp3 file extension, and forbid access by any foreign site or directly from browsers. You might even be able to restrict access from within your own site, but I can't see that being terribly useful.
Something like
RewriteEngine on
Options +FollowSymlinks
# hotlink protection and allowed list
# don't forget to add https: to allow accesss for any with SSL
## uncomment following line to PERMIT direct browser access of mp3 files
#RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain\.com(/)?.*$ [NC]
RewriteRule .*\.mp3$ - [F,NC]
Place the files you want to protect out of the public folder. This way they are only accessible via your scripts.
-root
--mp3s
--public_html
---main
----index.php
----page.php
You are trying to limit a "referral" and not direct access?
Denying from an IP limits all access, whether referred to by your page.php or by typing it into the browser's URL location bar. If you're trying to limit referrals, you can try using something like:
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^https?://(www\.)?yourdomain.com/ [NC]
RewriteRule ^mp3/ - [L,F]
but be warned that referers can be spoofed.
What about something like this, in your .htaccess
<Files ~ ".mp3$">
Order allow,deny
Deny from all
</Files>
This will not allow direct access to any files with .mp3 from your web server.
Place this code in your mp3/.htaccess file:
RewriteEngine on
RewriteBase /mp3/
RewriteCond %{HTTP_REFERER} !^https?://(localhost|(www\.)?mydomain\.com)/ [NC]
RewriteRule ^ - [F]