I am using a PHP application I downloaded, and it is half working on my server, however I am having what I believe is a re-write error.
The application is a "job board" where people will be able to browse available positions, and apply online.
Currently it is "technically" working. A person can view the site, and postings, and they can fill out the application form. The message is sent properly.
The problem is that once the submit button is pressed the browser shows that the page is loading, but nothing ever loads. So the message is sent, but the following page is not loaded.
The application uses htaccess rewrites, and I believe this is where the problem is.
The application is supposed to work out-of-the-box on a top level domain, however I am trying to use it on a subdomain. Am I correct in assuming that technically there is not much difference when using a subdomain? After all, the pages all load fine until the form is submitted.
The application is running at http://volunteer.essentialtransit.com
What you see is the application after initially being set up, and I added one sample "job".
You can try applying to see the problem I am referring to. It is a very simple application form that only takes a few seconds to complete.
Here is the htaccess file:
# AddType x-mapp-php5 .php
# AddHandler x-mapp-php5 .php
RewriteEngine on
Options +FollowSymlinks
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php [L]
ErrorDocument 404 /page-unavailable/
<files ~ "\.tpl$">
order deny,allow
allow from none
deny from all
</files>
Perhaps if someone can explain what the htaccess rules are doing I can figure out the problem.
EDIT: So the page actually does load, but only after a very long time. The browser shows that the form is sent, and then following page starts to load, but then it takes minutes to actually load. All other pages on the site load quicker than that. The other strange things is that when a "job" page is initially opened it loads quick, after applying it just redirects back to the same "job" page, however this time it takes forever to load.
Rules are self explanatory:
RewriteEngine on # Enables rewrite engine (obviously)
Options +FollowSymlinks # Tells Apache to follow symbolic links
RewriteCond %{REQUEST_FILENAME} !-f # Here it redirects non-files
RewriteCond %{REQUEST_FILENAME} !-d # and non directories
RewriteRule . index.php [L] # to index.php
ErrorDocument 404 /page-unavailable/ # Sets 404 page address
<files ~ "\.tpl$"> # Denies access to templates
order deny,allow
allow from none
deny from all
</files>
I doubt your issues have something to do with these rules.
Related
I want my application to allow pages to be accessed / referenced only from the application pages rather than from external addresses. with the exception of the main(index.php) page that will serve as access to the application. So for example if i build an html file in my desktop with a link or form to the destination of the application pages i want it to redirect to index.php.
How can i do this?
I tried to add this rows .htaccess
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
Allow from ::1
<Files /index.php>
Order Allow,Deny
Allow from all
</Files>
<FilesMatch ".*\.(css|js)$">
Order Allow,Deny
Allow from all
</FilesMatch>
But this didn't work because the desktop file was still in my server .
Edit 2:
I edited the .htaccess file to this and now it works
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(www\.)?localhost [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?localhost.*$ [NC]
RewriteCond $1 !^(index\.php)
RewriteRule ^(.*)$ http://localhost/website/index.php [R,L]
If you mean that you don't want your pages like config.php, x.php, etc. to be accessed directly through browser then you can simply define a constant on index.php page and check its existence on any other PHP file.
In case you want your forms to submitted only through index.php, then the only solution is to use a changeable CSRF token, generated by index.php and valid only for one time usage. That way you'll make sure that no-one can just clone the form inputs and spam you with requests from another server.
Still it's very difficult to totally prevent anyone from sending you requests from outside your server. A go-around techniques can be used to bypass token validation. Attackers can simply send a CURL request to fetch a new token then placing it automatically into the form and sending the request from outside
the server.
My website has a library / directory path like:
{root}/pages/{files}.php
My index.php path is the following: {root}/index.php
I want, that when people go to (as an example) 'login.php' (which exists in the /pages directory. that the url does not contains the '/pages'.
So:
www.website.com/pages/dashboard.php
Redirects to
wwww.website.com/dashboard.php
And that it is possible that when people access www.website.com/dashboard.php they can access this page.
Sorry for the bad explaining, can't find the good words for it.
Edit : This is my .htacces now
RewriteEngine on
# Rewrite automatic to /index.
RewriteCond %{REQUEST_URI} ^/$
# Second check for if above doesn't do the job [www/https].
RewriteCond %{REQUEST_URI} !^/index [NC]
RewriteRule ^$ /index [R=301,L]
# Delete all the .php and .html extensions from files [url-related].
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME}\.php -f
RewriteRule ^([^\.]+)$ $1.php [NC,L]
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME}\.html -f
RewriteRule ^(.*)$ $1.html
# Prevent people for looking inside the .htacces file.
<Files .htaccess>
order allow,deny
deny from all
</Files>
And I did try this:
RewriteRule ^/?pages/(.*)$ /$1 [R=301,L]
(Which did redirect me, but still received a 404 error.
I doubt you can do that with .htaccess only. (EDIT: you can, see "EDIT" below)
What you want is to PRETEND that login.php were in the root directory, but actually it is not.
EDIT: I think I mixed it up. You could do it with the .htaccess-file only. But I don't recommend it. You would have to add all redirections per hand (or develop expressions for the different cases).
Instead, I propose to use the following technique. It is basically the start of a self-made Content-Management-System, where the user can create pages on their own and name the URL leading to this page. Also, this all can be extended to an ajax-supporting website to be really up-to-date!
Using .htaccess only
In case you are not interested in the named advantages of the controller-technique, replace the code in your .htaccess-file and your login-page-problem is solved.
RewriteEngine on
#catch www.example.com/login.php and redirect without user's conciousness to www.example.com/pages/login.php
RewriteRule ^(login.php)$ http://www.example.com/pages/login.php [NC,L,QSA]
# Prevent people from looking inside the .htacces file.
<Files .htaccess>
order allow,deny
deny from all
</Files>
In case you want to gain more (and actually helpful) knowledge and want to learn a universal technique of how to start a CMS with the named advantages, continue reading!
Goal of this example
When the user calls the URL "www.example.com/login", the login-page ("login.php") will be loaded.
Setup
You need a .htaccess-file in the root directory.
You need a "controller" in the root directory (I propose index.php).
You need content pages somewhere, in this example a file called "login.php" in root/pages.
Htaccess will redirect all URLs to this controller, also it passes the URL originally called by the user. Based on the passed URL the controller decides which page content to load. In our case it will be login.php.
Controller
path: root/index.php
<?php
function callPage($data) {
if (isset($data['path'])) {
// get the correct file for the given path
switch ($data['path']) {
case "login":
include("/pages/login.php");
break;
default:
// show 404 error if given path is unknown
include("/pages/error.php");
}
}
}
?>
<html>
<head></head>
<body>
<div id="page"><?php callPage($_GET); ?><!-- load called page's content --></div>
</body>
</html>
Example content page
path: root/pages/login.php
<p>I am a happy login page. See, that I don't need any HTML Tags, a body or a head, because I am meant to be used only when mother index.php calls me up and integrates me. Life's so easy!</p>
<p>And do you know what's the best? I can even run PHP inside myself! Awesome, isn't it?</p>
.htaccess-file
path: root/.htaccess
RewriteEngine on
#if called file or directory reallyexists, don't redirect (might lead into a loop)
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
#redirect every URL (that does not really exist) to index.php
#the URL the user called can be accessed in index.php in $_GET['path']
RewriteRule ^(.*)$ http://www.exampe.com/index.php?path=$1 [NC,L,QSA]
# Prevent people from looking inside the .htacces file.
<Files .htaccess>
order allow,deny
deny from all
</Files>
Impulses
This is of course a very basic example. Currently, there is no advantage in using this technique instead of a simple redirection in the .htaccess-file, rather only disadvantages. But it is now on your own to enhance it. Some possibilities:
index.php: Replace the switch with a database call. It takes the user's url and returns the corresponding "real" URL (the one the user never sees)
Add a title to the page (also saved in database)
Implement an Ajax-support for your website
In the end, this leads to a small system, which can be extended to an own CMS
My wordpress is infected by malware. I found malicious code attached right after jquery codes in every js file.
Also I found multiple requests being made to unknown host/ip. I'm unable to find which script makes this call.
So I'm thinking to block any request to third party domain or IP via htaccess. But it doesn't seem to work.
Please advice the correct way to write this.
path to .htaccess file:
public_html\.htaccess
The content if it (before changes):
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
I tried:
attempt 1
//but I don't think this is relevant as it's meant for incoming
requests
order allow,deny
allow from all
deny from 134.249.116.78
attempt 2
Deny from 134.249.116.78
This is how network tab looks like:
And the header like this:
You will need to do this at the Web Server level of your stack. In your case using Apache configuration.
Specifically, the important one for your question is:
Header always append X-Frame-Options SAMEORIGIN
Additionally for the issue of XSS
Header set X-XSS-Protection “1; mode=block”
It should be noted that is not all that is necessary to lock down a server and that will not stop all XSS but it is a step towards a more secure server environment.
I'm new to rewriting urls and wanted to know how i would rewrite
From this
/profile/4
To this
/profile.php?id=4
I have this rule so far
RewriteRule ^profile/([0-9]+)/?$ profile.php?id=$1
but it displays this in the browser
Firefox has detected that the server is redirecting the request for this address in a way that will never complete.
It displays /profile/4/index.php in the browser address bar which is incorrect.
.htaccess file
<Files .htaccess>
order allow,deny
deny from all
</Files>
Options +FollowSymlinks
RewriteEngine on
#ErrorDocument 404 /test.php
DirectoryIndex test.php
RewriteRule settings editProfile.php
RewriteRule update update.php
RewriteRule home test.php
RewriteRule ^profile/([0-9]+)/?$ profile.php?id=$1
You are pretty much there. Try using this instead
RewriteRule ^profile/(.*)$ profile.php?id=$1
I found this good free resource online to help you test your rewrite rules before you post them to your live site. This may help for the future. It looks like your rule should work as you have it posted though. The problem must be somewhere else.
Your rule is just fine so there's a redirection somewhere conflicting with it. I suppose that you don't have a real directory at /profile/4 so they main candidate left is mod_negotiation. Try this:
Options -MultiViews
Just looking for a bit of help with Tinybrowser - I've tried updating it to the latest version but it's still failing. If I click the 'Upload' tab I get a 404.. I'm thinking it's possibly to do with the htaccess, but I'm not too hot with htaccess rules so I can't pinpoint it.
If I visit the page directly (/admin/javascript/tiny_mce/plugins/tinybrowser/upload.php?type=image&tokenget=315af6ee7cf85bc6170760a0c1a5b86d&folder=) I get a 404 as well. If I take off 'folder=' it'll go to the page, if I make it follllder=, it'll go to the page. So for some reason 'folder=' seems to be causing problems. Even if I manually put in a string for the folder var.
The htaccess is as follows:
# default
Options All -Indexes
RewriteEngine On
RewriteBase /
# Make sure there's no way of getting to this file
<FilesMatch "\.htaccess$">
Order deny,allow
Deny from all
Satisfy all
</FilesMatch>
RewriteRule ^login(/*)$ system/login/ [L,QSA]
# Route all other traffic to index.php (front controller)
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ /index.php?_args=$1 [L,QSA]
AddType text/x-component htc
If I remove
RewriteRule ^(.*)$ /index.php?_args=$1 [L,QSA]
I end up getting a 403 forbidden error, but obviously it's not really feasible to remove this line anyway.
Thanks in advance guys
I just ran into this as well.
The problem appears to be a security restriction on some servers that relates to the filename of the PHP file, as well as the "folder=" querystring.
I got around it by renaming upload.php to upload_tab.php, and then modifying tinybrowser.php to reference the upload_tab.php file:
if($tinybrowser['allowupload'])
{
?><li id="upload_tab"><span><?php echo TB_UPLOAD; ?></span></li><?php
}
This allows you to see the upload window, and submit some files using POST variables.
However, a problem remains...
The particular server I came across also has a similar restriction on a request to upload_file.php with a querystring of 'folder='. There isn't an easy fix for this, apart from decompiling flexupload.swf (which I tried, but couldn't recompile it) so I couldn't fully resolve the issue.