I want to close one of my directories public access on my PHP server but at the same time same directory should be still accessible, so what I want to do is when user types that directory from browser like stackoverflow.com/directory they will see it closed/empty but when they want to access a file under that directory like stackoverflow.com/directory/file.php they will be able read and submit form on it. Any ideas how can I do this?
Many thanks
Another method, using .htaccess file in the root
Options -Indexes
Now if a folder does not have an index.html/php file the server will respond with a 404 file not found error and send people your error page. Rather than a directory listing denied using the previous method.
Related
I have an SPA that uses AJAX calls to assemble content from multiple PHP files. I can add the following into the main application's config file to be able to redirect users that are not logged in back to the login page as long as they tried going through the portal to look at stuff.
// Verify Login to access this resource
if($_SESSION["loggedIn"] != true) {
echo ('resource denied <script>window.location.href = "https://'.$_SERVER['SERVER_NAME'].'/login.php";</script> ');
exit();
}
The problem comes in that there are tons of views, models, controllers, and third party widgets that can still be accessed directly if you simply tried scanning the site for common file architures.
Is there a way to use something like an htaccess or php.ini file to automatically append this login check to all of the php files in a directory so that I don't have to paste this into each and every page?
Baring that, is there a way to set my chmod settings to only allow indirect access to those files such that php scripts running on the server can use them, but they can not be directly visited? Thanks.
[EDIT]
Moving files outside of my public folder did not work because it broke the AJAX.
I also tried auto_prepend_file in an htaccess file, but this resulted in a 500 error. I am using a VPS that apparently won't let me do an AllowOverride All in my Apache pre_virtualhost_global.conf; otherwise, I think that would have been the right way to do this.
Setting the CHMOD settings of my resource folders to 0750 appear to be allowing the AJAX commands to execute without allowing direct access to the files. If anyone knows of any other security caveats to be aware of when doing this let me know. Thanks.
I am trying to redirect all requests that points to an actual file or directory in the root of my application to a specific php file, using the .htaccess file in the root directory. I want to be able to prevent people from snooping into my application's files and folders, while still controlling what happens to such requests: whether to throw a custome 404 error or not. But I don't know how I can achieve that, (if at all it is possible). I have searched through the StackOverflow and Google too, but found nothing helpful enough. Please help. Thanks.
I have uploaded my .php files into cPanel. lets say my main domain is abcde.com. Then I created a subdomain called gisWeb.
Now in file manager under /home/abcdec I can see a directory called gisWeb.abcde.com. I uploaded an index.html file into this directory and tried to run it by browsing http://gisWeb.abcde.com/index.htmlbut I'm getting site cant reach page. `
We can’t reach this page.
Try this
Make sure that you’ve got the right web address:`
How can I access my files.What should be the url?
Please help me.
Thanks
Problem could be one of these.
1. Sub-Domain you created may not have propagated.
2. You may need to put the files in public_html folder inside gisWeb.abcde.com
I wrote a custom module, which logs errors to an external text file. The files are kept in
/sites/all/modules/custom/my_module/logging/
The problem is, if the user know the name of the file, they can go directly to it. For example, if they go to:
http://localhost/MySite/web/sites/all/modules/custom/my_module/logging/
The will get a forbidden error. But, if they know the name of the document and go to:
http://localhost/MySite/web/sites/all/modules/custom/my_module/logging/myFile.txt
the full file is rendered to the browser. Is there a way to prevent this? Ideally, I would like to show the files to certain users but at the very least prevent it all together.
thanks jason
very simple method...
Put a .htaccess file in the logging folder and inside that put
deny from all
It looks like you have somewhere options -indexes, this will prevent a client viewing a folder that does not have an index file
Good day all,
I have a folder called documents in my site root, this is password protected by a .htpasswd file, but it is allowed to be accessed by a script to view.
how would I allow a script to be able to download the file without accessing it directly from the directory?
I'll give an example to explain the situation.
on my home page I display the picture test.jpg, this image is in the documents folder that is protected. The image displays correctly on the home page.
If type in the address bar www.domain.com/documents/test.jpg it does not display or downloads, but asks for a password.(this I want, but don’t want people to type in a password for each file they want to download)
Is there a way that I can make php or JavaScript download the document without ever having to prompt for a password? Other words bypass the .htaccess rule?
thanx in advance
I've retagged adding PHP and Javascript. There is nothing stopping you writing a remapper PHP script which is outside the documents folder and therefore accessible without Apache authentication. This could issue a readfile() to send the file (see the document example and user contributions for a more detailed explanation. Since this is a server-side script, it will have direct access to the protected directory.
Of course you might want to implement some form of access control, say appending a request parameter check which is based on the md5 of the filename plus a shared secret. This would be easy to compute in the calling script. However, once you move such access negotiation to a client-side script you need to accept that this could be retro-engineered and exploited by any experienced hacker.
As a footnote, if you want to allow users to download your images, why are locating them in an access controlled directory. Why not just move them out of this directory?
As Barry said, the .htaccess is processed before any PHP is, so bypassing it is not an option. You will have to either change the .htaccess configuration or write a remapper PHP script.
I suggest changing the .htaccess configuration to allow direct download links but deny directory listing. This will allow people to download direct links such as http://www.example.com/documents/some-file-name.ext without being prompted for a password, but they will have to know the link ahead of time - they won't be able to view the /documents/ folder to see everything in there.
You can do this by commenting out or removing the Auth directives:
#AuthUserFile /path/to/.htpassword
#AuthName "Name"
#AuthType Basic
#Require Valid-User
And adding a directive to block directory listing:
Options -Indexes