What can i do to stop Apache execute code in files that have .php prepended before extension ex: .php.txt , php.pdf , i do not know if this is related to webuzo admin panel n/or apache in general ?
Apache version 2.2.34
Opened thread on webuzo forum ,if anyone else has this issue , it might be related :
https://www.softaculous.com/board/index.php?tid=17642
This is reasonably standard behaviour - files can have multiple extensions on Apache. (As they can on other OS / filesystems.)
However, this behaviour can be avoided.
Whether files that end in .php.txt or .php.pdf are processed for PHP is dependent on how PHP is enabled on the server.
For example, if you simply use AddHandler then any file that contains a .php extension (like .php.txt) will be processed by the PHP handler:
AddHandler application/x-httpd-php .php
However, if you only call SetHandler on the specific file pattern, ie. when .php occurs at the end of the filename, then this behaviour can be avoided.
<FilesMatch "\.php$">
SetHandler application/x-httpd-php
</FilesMatch>
NB: This is not a copy/pastable solution - it really depends on how PHP is implemented on your Apache web server.
Depending on your requirements you could potentially block requests to files that contain a .php extension, but not at the end of the URL-path. For example:
<FilesMatch "\.php\.">
Order Allow,Deny
Deny from all
</FilesMatch>
NB: This is Apache 2.2 syntax (as stated in the question). If you are on Apache 2.4 then you'd use Require all denied instead of the Order and Deny directives in the last block.
I want to disable php in a directory on my server.
I thought that setting Options -ExecCGI in httpd.conf would prevent php scripts from being executed, but obviously I am wrong.
So, this is what I have in my httpd.conf, which obviously does not work:
<Directory "C:/xampp/htdocs/(path_to_directory)/dirname">
Options -ExecCGI
AllowOverride None
</Directory>
The question is, how can I prevent php scripts from being executed in a specific folder?
Can in be done in httpd.conf or do I have to use a .htaccess file?
php_flag engine offonly works if you are using mod_php(as well as mod_php7.x) than php-fpm
Seems you are using php-fpm, so add the further lines into httpd.conf:
<Directory "C:/xampp/htdocs/(path_to_directory)/dirname">
<FilesMatch ".+\.*$">
SetHandler !
</FilesMatch>
</Directory>
or these in .htaccess in the Directory you don't expect the execution of PHP:
<FilesMatch ".+\.*$">
SetHandler !
</FilesMatch>
I have tested it on an Unix Platform rather than a Windows, Hope it would help U.
you can do this with .htaccess file. you need to place a .htaccess file in the folder you don't want to execute the php with following htaccess code.
<Files *.php>
deny from all
</Files>
see here in more details http://www.wpbeginner.com/wp-tutorials/how-to-disable-php-execution-in-certain-wordpress-directories/
Also you can Try to disable the engine option in your .htaccess file:
php_flag engine off
Go to php.ini in the root folder of xampp inside PHP and set engine to off:
engine=off
I am a beginner of web development and just started to learn about a month
intro:
I recently come across SQL injection and decided to look it up. After summarizing it, I tried to upgrade my cpanel php version from 5.3 to 5.4 due to PDO support. So I was messing around with .htaccess file and after I uploaded my new .htaccess file I can no longer view my php page again. I don't remember what codes did I put.....
Question: What should I do to undo my stupidity?
Tried solution:
I emptied my .htaccess file and still the same result
I loaded up codes in .htaccess file with
LoadModule php5_module modules/libphp5.so
AddHandler php5-script php
AddType application/x-httpd-php php
(from Browser ask me to download php file)
and still the same result
Somewhere I have read to change the php file name will undo the damage, It works. But I like my original php file name, so I tried rename back to the original file name and the problem happens again
Sorry for my bad English practice
Update:
I was browsing my website again, and somehow got into an error saying 500 - Internal Server Error, so I decided to delete all my files in public_html file. Then,I re-upload all my web file again and suddenly it all worked. Did not download php file again.
Thanks for everyone who spends time on looking at my problem. I apologize to all the contributor.
The file name on both regist and register have a extension name of .php
You're being asked to download the file because the server no longer recognizes the file as something it needs to process.
I'm not sure why you would need all the PHP declarations in your .htaccess file (especially LoadModule). Normally those are stored in config files (files like /etc/httpd/conf.d/php.conf). Here's what the default on my box looks like (this is for Apache so YMMV)
# PHP is an HTML-embedded scripting language which attempts to make it
# easy for developers to write dynamically generated webpages.
#
#<IfModule prefork.c>
<IfModule !worker.c>
LoadModule php5_module modules/libphp5.so
</IfModule>
<IfModule worker.c>
LoadModule php5_module modules/libphp5-zts.so
</IfModule>
#
# Cause the PHP interpreter to handle files with a .php extension.
#
#AddHandler php5-script .php
<FilesMatch \.php$>
SetHandler application/x-httpd-php
</FilesMatch>
AddType text/html .php
#
# Add index.php to the list of files that will be served as directory
# indexes.
#
DirectoryIndex index.php
#
# Uncomment the following line to allow PHP to pretty-print .phps
# files as PHP source code:
#
#AddType application/x-httpd-php-source .phps
Recently I configured Apache 2.2 server to run PHP and have configured to load PHP 5 as a module. I am able to start Apache with no problems but when I try to run PHP files it pops up would you like to open or save file?
Running on Windows XP SP3
Internet Explorer browser but not related
Simply trying to open it as a file not as my index.php and haven't set Apache to look for that as my index. If it helps I think my issue might be here:
;AddType application/x-httpd-php .php
;AddType application/x-httpd-php .php5
;AddType application/x-httpd-php .phtml
I tried to modify in my Apache conf file addtype and addhandler but no change and apache still starts both ways.
I tried putting these inside the mime configuration part and outside of it same both ways but not sure where in doc that should go my loadmodule part is also entered.
Im not sure but the only other place i could see being an issue would be in my php.ini file to which i have made no modifications.
Can someone point me in the right direction? What I am missing here?
Edit httpd.conf and add (or remove the ; at the begin of line):
# PHP 5.x module
LoadModule php5_module modules/libphp5.so
AddHandler php5-script .php
# Add index.php to your DirectoryIndex line:
DirectoryIndex index.html index.php
AddType text/html .php
# PHP Syntax Coloring
# (optional but useful for reading PHP source for debugging):
AddType application/x-httpd-php-source phps
I don't know, but I think you need to restart the Apache.
From http://dan.drydog.com/apache2php.html (step 11)
I'm making a website which allows people to upload files, html pages, etc... Now I'm having a problem. I have a directory structure like this:
-/USERS
-/DEMO1
-/DEMO2
-/DEMO3
-/etc... (every user has his own direcory here)
-index.php
-control_panel.php
-.htaccess
Now I want to disable PHP, but enable Server-side includes in the direcories and subdirectories inside /USERS
Can this be done (and if so, how)?
I use WAMP server
Try to disable the engine option in your .htaccess file:
php_flag engine off
To disable all access to sub dirs (safest) use:
<Directory full-path-to/USERS>
Order Deny,Allow
Deny from All
</Directory>
If you want to block only PHP files from being served directly, then do:
1 - Make sure you know what file extensions the server recognizes as PHP (and dont' allow people to override in htaccess). One of my servers is set to:
# Example of existing recognized extenstions:
AddType application/x-httpd-php .php .phtml .php3
2 - Based on the extensions add a Regular Expression to FilesMatch (or LocationMatch)
<Directory full-path-to/USERS>
<FilesMatch "(?i)\.(php|php3?|phtml)$">
Order Deny,Allow
Deny from All
</FilesMatch>
</Directory>
Or use Location to match php files (I prefer the above files approach)
<LocationMatch "/USERS/.*(?i)\.(php3?|phtml)$">
Order Deny,Allow
Deny from All
</LocationMatch>
If you're using mod_php, you could put (either in a .htaccess in /USERS or in your httpd.conf for the USERS directory)
RemoveHandler .php
or
RemoveType .php
(depending on whether PHP is enabled using AddHandler or AddType)
PHP files run from another directory will be still able to include files in /USERS (assuming that there is no open_basedir restriction), because this does not go through Apache. If a php file is accessed using apache it will be serverd as plain text.
Edit
Lance Rushing's solution of just denying access to the files is probably better
<Directory /your/directorypath/>
php_admin_value engine Off
</Directory>
This will display the source code instead of executing it:
<VirtualHost *>
ServerName sourcecode.testserver.me
DocumentRoot /var/www/example
AddType text/plain php
</VirtualHost>
I used it once to enable other co-worker to have read access to the source code from the local network (just a quick and dirty alternative).
WARNING !:
As Dan pointed it out sometime ago, this method should never be used in production. Please follow the accepted answer as it blocks any attempt to execute or display php files.
If you want users to share php files (and let others to display the source code), there are better ways to do it, like git, wiki, etc.
This method should be avoided! (you have been warned. Left it here for educational purposes)
None of those answers are working for me (either generating a 500 error or doing nothing). That is probably due to the fact that I'm working on a hosted server where I can't have access to Apache configuration.
But this worked for me :
RewriteRule ^.*\.php$ - [F,L]
This line will generate a 403 Forbidden error for any URL that ends with .php and ends up in this subdirectory.
#Oussama lead me to the right direction here, thanks to him.
If you use php-fpm, the php_admin_value will NOT work and gives an Internal Server Error.
Instead use this in your .htaccess. It disables the parser in that folder and all subfolders:
<FilesMatch ".+\.*$">
SetHandler !
</FilesMatch>
This might be overkill - but be careful doing anything which relies on the extension of PHP files being .php - what if someone comes along later and adds handlers for .php4 or even .html so they're handled by PHP. You might be better off serving files out of those directories from a different instance of Apache or something, which only serves static content.
On production I prefer to redirect the requests to .php files under the directories where PHP processing should be disabled to a home page or to 404 page. This won't reveal any source code (why search engines should index uploaded malicious code?) and will look more friendly for visitors and even for evil hackers trying to exploit the stuff.
Also it can be implemented in mostly in any context - vhost or .htaccess.
Something like this:
<DirectoryMatch "^${docroot}/(image|cache|upload)/">
<FilesMatch "\.php$">
# use one of the redirections
#RedirectMatch temp "(.*)" "http://${servername}/404/"
RedirectMatch temp "(.*)" "http://${servername}"
</FilesMatch>
</DirectoryMatch>
Adjust the directives as you need.
I use in Centos 6.10 for multiple folders in virtual host .conf definitioin file:
<DirectoryMatch ^/var/www/mysite/htdocs/(nophpexecutefolder1|nophpexecutefolder2)>
php_admin_value engine Off
</DirectoryMatch>
However, even though it doesn't parse php code the usual way it still outputs from a .php things such as variable declarations and text when doing echo e.g.
<?php
echo "<strong>PHP CODE EXECUTED!!";
$a=1;
$b=2;
echo $a+$b;
The above produces in web browser?
PHP CODE EXECUTED!!"; $a=1; $b=2; echo $a+$b;
This could potentially expose some code to users which isn't ideal.
Therefore, it's probably best to use the above in combination with the following in .htaccess:
<FilesMatch ".*.(php|php3|php4|php5|php6|php7|php8|phps|pl|py|pyc|pyo|jsp|asp|htm|html|shtml|phtml|sh|cgi)$">
Order Deny,Allow
Deny from all
#IPs to allow access to the above extensions in current folder
# Allow from XXX.XXX.XXX.XXX/32 XXX.XXX.XXX.XXX/32
</FilesMatch>
The above will prevent access to any of the above file extensions but will allow other extensions such as images, css etc. to be accessed the usual way. The error when accessing .php:
Forbidden
You don't have permission to access /nophpexecutefolder1/somefile.php on this server.
<Files *.php>
Order deny,Allow
Deny from all
</Files>