Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 9 years ago.
Improve this question
I've got WAMP server on my Windows machine (just starting to study Servers and what not so I'm new to all this).
What I want to know is how can I give Apache permission to access a folder, but users should not be able to access that folder.
I've got a folder containing images which anyone would be able to view if they knew the structure of my server's file system and directories. Therefore, what I wish to do is that this folder should be accessible by my .html and .php pages but not by a user who inputs the URL of the folder/image directly in their browser.
I realize this may not be possible, but there must be some alternative to what I'm trying to achieve. I'm very new to all this so I'd like to know if I'm going about this wrong way, whether I'm on the right track or if I simply need to edit my permissions in the httpd.conf file.
Unfortunately that's not possible. The way the browser loads images when they're referenced in your website is not different from the way it does load them when a user enters the same URL directly. SO you get either both or none.
What you CAN do is: disable indexing, so entering just the directory name without the image name results in an "Access Forbidden" error. For that, put this anywhere in your Apache config:
<Directory c:/path/to/your/directory>
Options -Indexes
</Directory>
(You may have to use Backslashes on Windows, not sure. Haven't done any Apache config on Windows fore some time. Can anybody help me out here?)
Another thing you can do is to write an PHP (or use any other server side language) script that reads those images and pases them to the browser. That way, you could check the referrer the browser sends and react to it. But I would not recommend this, as it yields more trouble than it solves, therefore I won't give you a ready made script for this.
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 7 years ago.
Improve this question
I got mail from Google Webmaster tools that strange URLs where indexed. URLs like mywebsite.com/cheap-medicine/, etc.
I have a Drupal website and I can see those URLs are indexed. And using proxy I can see the page myself. However, I cannot find the source.
I have looked into a bunch of files but they are unchanged.
Also I searched my entire database and of course looked into Drupal backend for strange content.
I even searched my entire server using Linux grep, also no result for words on the page. The database URL / routing tables also show no strange URLs.
I did of course also check .htaccess files
How are these URLs accessible if I cannot find them anywhere?
Look into your .htaccess file, it contains a lot of power. It can make these strange URIs mask themselves. Try to check the validity of that file. This might be where this is coming from.
If your .htaccess file, or any .htaccess file inside any subdirectory of the site weren't hacked on then you probably want to reinstall the Drupal core. If you followed proper development practice by never editing third party core files, then you will not lose any work or time, because it will be a fresh default copy of what you installed the first time.
After this, make sure core runs correctly in a default state, and that the problem is gone. Then you can copy back in your source files to your Drupal framework and reconfigure and resume.
If the problem comes back after you put your source files back, then the problem is in your sources.
You can also try grepping for the terms individually i.e. grep -rin "medicine" ./* on a GNU/Linux box to see if these terms show up.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 8 years ago.
Improve this question
I have LAMP installed in my server and I use virtualhosts to map domains to subdirectories. I need to allow my customers to upload files (including php) to their server using FTP.
The problem is that a customer using a domain xxx.com.br uploaded a file test.php and executed it like:
xxx.com.br/test.php
The content of test.php if file_put_contents("../../xxx.txt","teste") and it worked! The file xxx.txt was created 2 levels above his domain folder! How do I prevent this from happening?
Don't give the PHP process access to directories it isn't meant to reach.
That's kind of the point of the whole permission system.
In Linux, PHP will generally run as its own user, just make sure that user doesn't have read or write permission to any files you don't want exposed.
For this purpose exists open_basedir configuration directive. More information about it for example here.
Moreover it is good to use FastCGI which allows each script to be run under its owner. More information about it for example here.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 9 years ago.
Improve this question
I have some files in directory and sub directory in an open HTTP site
For Example:
http://example.com/directory/file1
http://example.com/directory/file2
http://example.com/directory/sub-directory/file1
http://example.com/directory/sub-directory/file2
http://example.com/directory/sub-directory2/file1
http://example.com/directory/sub-directory2/file2
I want to copy the full directory to my server.
I don't have SSH or FTP access to the http://example.com
I have tried transloader script which grabs only one file every time.
I need to copy the full directory exactly as is on the HTTP server to my new server.
Thanks
Use wget or curl:
wget -r --no-parent mysite.com
You are unable to do this. You can grab the content of the visual layer/GUI that the site provides to you, but you can not grab any of the "behind the scenes" pages which the site has. You wont be able to get any of the site which is doing the back end processing to create what you see on the front end.
The only way to do do this is if you have access to the directories on the site. By this, I mean when you go to the base directory, such as example.com/test/, it just gives a list of all possible files in that directory. As it stands though, most sites protect against it, therefore unless you have direct access, this is not doable as it would be entirely insecure and would create many headaches for development and privacy.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 9 years ago.
Improve this question
I have PHP files which I would like to protect. I want that only the server/browser will be able to read them, but if someone tries to open them with some text-editor, it will ask for password or something like that.
Is it possible doing such a thing?
If not, please supply me some ways which I can guard my files from being opened and viewed.
in your ".htaccess" :
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /home1/c/clifford/public_html/protected/.htpasswd
require valid-user
Change the path after "AuthUserFile" to the location of where your
.htpasswd file will be (should be in the same directory as
.htaccess).
You can simply change "c" to the first letter of your
PennKey, "clifford" to your full PennKey, and "protected" to the
directory you want to protect.
Save the file and upload it to the directory you want to protect using your favorite FTP client
Manual here
http://www.seas.upenn.edu/cets/answers/auth-htpasswd.html
you can generate the file with following link
http://tools.dynamicdrive.com/password/#.UpdLhuKBa_I
If what you are trying to protect is your files being accessed from the same PC, you should isolate the files using a special profile.
Since you are using WAMP i'll assume you are using Windows.
So my suggestion is that you create a user (with a password) to run WAMP, and that access to his folder is only allowed for him and by the Administrator. Of course you also should set up a strong password for your Administrator account.
This way you don't only allow the access to your PHP files but also to the WAMP config files and the running instance which could expose interesting information for an intruder.
None the less you should also check your webapp security, but that's another story.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 9 years ago.
Improve this question
There may many reasons. But I can find only these.
By creating vhost we maintain same file structure in the server.
We can have several server instance in one machine.
But are these really matter ? I doubt myself.
What is the difference between keep separate folder in localhost vs having separated vhost in localhost and deploying to the server.
Is there any other reasons to add(or are these not the reasons at all ?)
Thanks in advance.
Because your first point is the biggest reason.
If you have http://localhost/devel vs http://devel.local your relative pathing can get all screwed up
If you had a developer who wanted to make a home link they may do Home
This will redirect you to root folder on localhost and you wont end up where you should be
it is also a separation of concerns. If you do a vhost you know you are only within that project. Another thing is if say you had a .htaccess file in localhost, it would affect settings in your project folder if you did not override the .htaccess in your project folder
Another reason is subdomains, you cannot really mimic subdomains with folders without using a .htaccess, it is much easier with vhosts
You always want to mimic production as closely as possible otherwise you will run into bugs on production that you will spend minutes/hours/days debugging that you might not have run into if you would have mimiced the environment in the first place