How can I restrict the user into the root directory and not able to get access to the parent directory of the root.
I have EasyPHP installed and following I am considering as root:
http://127.0.0.1/projects/Web%20Developement/aureus/files/
I don't want user to able to move to the parent directory but when I add "dot dot slash" ../ at the end of above URL I can access "aureus" directory. How can I stop this by .htaccess or any other way?
You can't do correctly with .htaccess. You'll need to edit the configuration for the domain in the main config file. When you go into your httpd.conf file or your included file for the virtual hosts you need to look for the DocumentRoot you're setting for the server. The web server only has access to what you grant it.
If you can access a folder you're trying to lock down via the web or a browser on another machine, you'll need to look at a variety of permissions settings depending on the OS you're running. You can restrict access to folders and prevent the users in Linux for example from seeing the files with chmod. In Windows (if that's what you're running) you would right-click on the folder, select properties, and change the permissions under the security tab.
Not sure what the point of all this is, but if you simply don't want any ../ in your URLs, then you can try adding this to your htaccess file:
RewriteEngine On
RewriteRule ^(.*)\.\./(.*)$ /$1$2 [L,R=301]
I think rather than specifically try to stop the use of ../ in the url, you should have htaccess in folders you do not want people/bots/other to be in.
This
Options -Indexes
in a .htaccess file will stop directory listing in whatever folder the htaccess file is in. It'll serve a 403, but you can use htaccess to serve 404 or redirect based on what you need (other than "stop user to able to move to the parent directory" I'm not 100% sure what you want)
Cheers
Related
I'm using a simple .htaccess file with the contents
Options -Indexes
to try and hide directory listings. However, when I try to load any page from the browser it gives me a 403 error for any page. Any ideas what the problem is?
For context, .htaccess is in the root folder that contains php files and folders of other php files included/required etc. by those in root.
Thanks in advance
Ben
Make sure that you have a proper directory index setting. The Indexes option simply tells apache to display the contents of the directory as the index if there isn't a default index in that directory.
So if you have the file:
/index.php
Make sure you have:
A valid index file
it is part of the list defined by DirectoryIndex
It is readable by apache.
If your index.php is the file you want serves when the request is for the directory, then make sure it is readable by apache (644 is good enough), then make sure it's in the list defined by the directory index:
DirectoryIndex index.php
One other thing that may be happening, and it's very specific to someone's website setup. If you have DirectorySlash Off somewhere, meaning apache won't automatically redirect the browser when a trailing slash is missing when a reqeust is for a directory, and you have Indexes turned off, then your index file will get ignored.
Example, if I have directory slash off, and a request for the directory is made:
/folder
without the trailing slash, it doesn't matter if you have a valid index file, it will get ignored without a trailing slash. If this is the case, make sure you really want to have trailing slashes removed for accesses to directories and this is a limitation of apache.
I had this problem and it was due to permissions. CHMOD it to 777 or whatever.
Also, consider this rule is run for each page load. For speed purposes you can create .htaccess for each folder.
Maybe your folder permissions, you should check them
Which is the best way to prevent certain directories of a web site from being directly accessed?
1- Creating and placing a .htaccess file in each directory we want to protect and place the next line in it:
Deny from all
2- Creating and placing a index.php file in each directory we want to protect and place only the next line of code in it (which will redirect to homepage of the website):
<?php header("Location: http://" . $_SERVER['HTTP_HOST']); ?>
3- Something else (what is it?)
As mentioned in the comments, the safest way is to place content or directories outside the web server's public document root. This will ensure that content will not be served even if an .htaccess file is deleted or if the server does not allow .htaccess overrides.
To determine your document root you can just echo the PHP $_SERVER['DOCUMENT_ROOT'] variable. So if your root is /var/www/html, you can create a folder /var/www/protected_folder and Apache (or other web server) will never serve it (unless the http.conf file is altered to modify the document root folder).
If the folder must be in the document root, then using an .htaccess file to either DENY or redirect is a good alternative.
As TerryE mentioned, you could also use OS-level file permissions to deny the Apache user access to the folder (set a different user as the owner and then set permission on the folder to 700, for example). If they try to access the folder they'll get a 403 Forbidden Error which you may not want to show (though you could set up a custom 403 error handler in http.conf or htaccess). Depending on specifically what you are trying to do you may want this approach, as it will also let you prevent access from scripts (i.e. PHP include() etc) if you want to, as PHP runs under the webserver user by default. The major downside of this approach is that file permissions are often not preserved during migrations (if they're not done correctly) and file permissions can sometimes be reset inadvertently when altering parent folder permissions with a recursive flag (whereas it's unlikely that someone would inadvertently move a folder into the document root).
So I'm on a 15-day trial of my (already paid) webhosting and they seem very good, at least they did until I got my FTP.
I have a php script that needs a folder outside of the root directory
Example:
website root:
/users/websites/public_html/ <- folder which users / browsers have access to
The script needs a folder here:
/users/websites/ <- above the root
for example /users/websites/sensetive_data/ <- browsers cannot acces this
but that's impossible on my web-host "because it's a shared hosting" <- their answer. And they can't change the root path.
So I cannot create any directories or files above /users/websites/public_html/
So, well, to no cancel my trial immediately, maybe I will try to do it in another way, I want to use htacces to restrict acces to a directory, and all the files in it and it's subdirectories,
So I can move the 'sensetive_data' folder to /users/websites/public_html/sensetive_data
I want it to redirect to the main page (so when accessing /users/websites/public_html/sensetive_data/* [http://example.com/sensetive_data/*] it will go to /users/websites/public_html/ [http://example.com/],
so even if the user knows the exact url, he/she will be redirected. How can I accomplish that?
If you want to do a redirect for a folder, say /users/websites/sensitive_data/
create a file in that folder called .htaccess and add the following (and specify the url to redirect to)
Options -Indexes
ErrorDocument 403 http://mysite.net/
In /users/websites/sensetive_data/.htaccess write:
Deny From All
For your whatever PHP script you need to change it yourself.
I have a website that is working properly.I dont know when I do "Domain-name.com/images" It shows me all the images in the images folder present at my site.I dont know why is this.may be this is due to the Directory permissions?But I want to ask know the actual reason behind it
Help will be appreciated.
Note:I am tagging Php and Html because these people might faced this thing while creating website.
This is because there is no index file in the folder, and Apache (assuming Apache) is set to do directory indexes.
Either create an empty index.html or add the following in either apache2.conf (or httpd.conf) or in a htaccess file:
Options -Indexes
You can restrict the folders using .htaccess.
Create .htaccess file in you website root folder and add the following code in it.
RewriteEngine on
RewriteCond $1 !^(css|js|images)
RewriteRule ^(.*)$ index.php/$1 [L]
This is a problem with the configuration of your web server which allows directory listing for your image folder. E.g. on Apache, the most common server software, you would switch it off in the httpd.conf with the directive Options -Indexes in a directory section.
To answer your question: yes. If it's a web accessible directory meaning it resides in the typical webroot folder such as public_html, www, etc and the permissions on the folder are open then anyone can see the contents.
Is it possible to hide a folder from the www directory so that the php files will not be seen if you access it through a web browser?
I'm doing this because I'm not yet good enough to secure those files and the mysql database that they are manipulating.
Or even a trick that would make the web browser not to be able to access the localhost is fine. Please
If you have a directory and you don't want Apache being able to serve any file that's in it, you can create a .htaccess file in that directory, containing :
Deny from all
This will make sure Apache refuses serving any file from that directory -- but they will still be accessible by PHP scripts running from another directory or from the command-line.
If you want Apache to be able to serve the files, but not list the content of the directory when a user accesses that directory without any filename in the URL, you can use this in your .htaccess file :
Options -Indexes
This will disable listing of files inside the directory that contains the .htaccess file -- but will not prevent Apache from serving the files themselves.
Just put the files outside of the document root and include them from there.
A very simple trick if you don't have Apache, hence no access to .htaccess (that sounds like I'm repeating myself), just create a file index.htm or index.html containing NOTHING. Any attempt to access that folder will just show a blank page.