Is there a way, through php.ini or .htaccess to disable all file uploads to a server?
The only catch is, I want to have one folder (example an admin folder) to still have access to upload.
I am thinking along the lines of when you disable eval and exec.
This question stems from the fact that I have seen sites infected with malware, which are located in all random spots through the server - a recent example I have seen is something similar to:
eval(gzinflate(base64_decode("HZ3fdsfHjtfvdqlkdsfabf5Y7OAQfMCRc9YKaYc5o0mHOmmJ6+ .... ));
Located in a file called stp.php on a server. My thinking is that if the sites users need no access to upload files (which they don't), then it should be simply disabled.
Yes. In your php.ini file set file_uploads=Off as described here.
This will disable all file uploads through HTTP.
Related
So, I was trying to upload PHP files into Apache server, and whenever I browse the file I get 403 error due to htaccess limitations. It turns out that the server only accepts certain files such as "gif|jpg|png|mp4" and other image files.
Is there any way to bypass this?
NOTE **: I tried the old ways,**PHP, Phtml .. it didn't work.
Is there any way to bypass this?
Not unless you edit the .htaccess file or find a vulnerability in Apache.
Note that simply uploading a PHP file doesn't mean the server can execute it. The server needs to have the right software installed and Apache needs to be configured to handle PHP files. You can't just drop a PHP file in there and expect it to work, regardless of what the .htaccess file says.
I am trying to upload my new website (codeigniter project) to the server. .htaccess file is used in my project and it is working properly in localhost. Also, i can upload the file too, but after uploading, it is not working. I always need to add the 'index.php' in url. I can't see the .htaccess file and when i trying to upload it again, it is showing the message, the file is alredy exist. Do anyone know the reason?
Try using FileZilla and enable hidden files to be visible:
Open FileZilla FTP client.
From the Menu bar choose Server
Select Force Showing Hidden Files which should be the last option.
One other thing to check is if you're using Apache or Nginx because Nginx does not support the .htaccess file
I am using winSCP(FTP software) to upload my .htaccess. As you mentioned you are not able to view it. However when you try to create a new file through winScp, the file will be automatically loaded to your text editor.
I am not sure if other FTP software works the same.
The file exists, but is hidden.
Probably the user on whose log does not have permission to replace him.
remove .htaccess file from your server , but before make sure that that file is no more useful for you .
other way
open the hosting server .htaccess file in online editor of cpanel
now copy past your htaccess file codes which required to be change.
As mentioned in the comments, it could be that the server is running for example Nginx instead of Apache.
However, I think the most likely cause for the .htaccess file not having an effect is a configuration issue. It could be that .htaccess functionality is disabled either in config you can manage, or in the server's config.
Contact your webhost to resolve this issue.
I know it a silly question but last night when I was working with my website's .properties file, I discovered this idea. I am using PHP script for my website where I have stored all my site properties values like image path, secure path.. etc in website.properties file. But I need to include this .properties file in each and every webpages to access the values in it.
My question is, like .htaccess file, can I add this .propeties file into server configuration? Is there any option available to sync this file with server configuration? Is Apache allowing us to do? In this case I don't need to add this file in every pages.
Look to the side of enviromental variables in Apache and PHP:
http://php.net/manual/en/function.apache-getenv.php
http://www.php.net/manual/en/function.apache-setenv.php
http://httpd.apache.org/docs/2.2/env.html
This may be a really stupid question...I started worrying last night that there might be someway to view PHP files on a server via a browser or someother means on a client machine.
My worry is, I have an include file that contains the database username and password. If there were a way to put the address of this file in to a browser or some other system and see the code itself then it would be an issue for obvious reasons.
Is this a legitimate concern?
If so how do people go about preventing this?
Not if your server is configured right. I think discussion on how that is done belongs on serverfault.
To add on to the other answers:
If you use a file extension like .inc there's indeed a higher risk. Can you open the file directly in your browser?
The most important advice is missing:
Only the files that should be accessed by a browser, should be in a publicly accessible location. All the other code (and configuration) should be in a completely separate directory.
For example
root
- webroot
- includes
- config
Only 'webroot' is exposed by your webserver (apache). Webroot can for example contain a single index.php, along with all your assets (javascript, css, images).
Any code index.php needs to load comes from 'includes' and all the configuration from 'config'. There's no way a user could ever directly access anything from those 2 directories, provided this is done correctly.
This depends on the file extension you have given the include file.
If the extension is one that is known and executed by the web server, it will be protected. If you browse to the file, the server will try to execute the code rather than just returning it as plain text.
If the extension is not known by the web server it will serve it as plain data, so anyone (who can guess the file name) can browse to the file and see the source code.
A Directory Traversal Vulnerability can used to obtain files off of the remote mahine. Alternatively you can use MySQL based sql injection to read files using load_file(). You can also test your system with w3af's urlfuzzer which will look for "backup files", such as index.php.zip. Also make sure that all files have .php extensions, a .inc can be viewed from the public. I would also disable Apache directory listing.
Normally there should be no way to view the PHP files remotely... it would be absolutely pointless. This completely depends on what web server you are using and how it's setup though.
Having looked around I can see that it is possible to protect a directory via the .htaccess by adding these lines:
Order allow,deny
Deny from all
This apparently protects the directory so that only local non web-access is possible.
This allows me to keep my includes in a subdirectory of the main site directory which is good for organisation and it can be used on the projects where I do not have access to folders outside the web root.
Does anyone else use this method?
Just for good measure I've put the directory permissions to execute only.
And the include extension is PHP as suggested by others.
Is it posible,
to modify or edit txt file,
if the file's permission is set as 606 ,
via WEB browser ,
by normal users ?
I mean I make a txt file named "1.txt"
The first original contents of the txt file is "PAX is great man"
and then ,I upload this file to server.
I set the permission of the file as 606.
so the general users can now modify the file.
so anyone become to be able to edit that file
into "PAX eat camel meat" ?
or can not?
If your webserver does not support the PUT or DELETE command (and most webservers don't by default) and you don't provide a script where any user can edit your files from the outside, I see no way a remote user could edit your file. W3.org. Just a short additional note: If only the webserver and a browser are involved in this case, you could even change the rights of this file to 777 and no one should be able to edit your file.
This entirely depends on your webserver, certainly anyone on the local system (who isn't in the group) can write to the file.
'606' means read AND write permissions for the user creating the file and for others. So in effect in enables anyone to edit the file if they are on the same system. Whether they can do it via the Web browser depends on the webserver and its configuration.
Why don't you just set the permissions on it to 604? That way, the file can only be edited by you, even locally!
Jonathan,
Can you please provide more details of your question? By "modifying the file", this could mean too many possibilities. To talk about security and permissions, you have to determine in what way your files are accessed first. By the way you asked your question, I am going to make these assumptions:
(A) You do not own your server.
You cannot make system-wide configuration changes to your server.
(B) Other people can login to use this server.
(This means having access to a command prompt of this server.)
You do not trust these people and do not want them to modify your files.
(C) Your web server is either Apache or Microsoft IIS.
.
By "modifying the file", there are some possibilities:
(1) When you visit the URL, it shows the original content of the file and a "Modify" button.
If you click the "Modify" button, the original content will be shown in a text area and a "Save" button comes out.
After you finish editing, you click "Save" to save the changes.
(2) There is NO editing interface.
The interface is like a "file manager".
You just upload another file with the same name to overwrite / replace the original file.
.
If what you want is (1) above, you have to write a server-side script (eg. PHP, ASP, etc.) (Of course you can use server-side scripts written by other people too!). Make sure your server does support the language (+ dependent libraries) you choose.
If what you want is (2) above, there are many ways to achieve, but I'm afraid a server configuration change must be done:
(1) You can add an FTP server to your server (if you can). Then using Firefox with the FireFTP plugin (or using Internet Explorer, if that is your choice), you can upload / download the file.
(2) You can add / enable the WebDAV module to your web server. Adding "WebDAV" function allows files to be opened / uploaded via HTTP. Microsoft call this "web folder". Linux and Apple call this "WebDAV" (the original name). There shouldn't be a problem to upload your files with Windows Explorer (Windows) / nautilus (Linux - Gnome) / Finder (Max OS X), even they are not browsers.
.
Please provide more information to your question.
Kenji