I had a terrifying issue a few days ago. I was installing updates on my ubuntu server, which is a hosts for about 10 websites. During the update, something went wrong, and apaches mod_php became disabled. As a result, PHP support was gone, and for a few minutes (until I figured what's wrong) users got an invitation to download PHP scripts, instead of seeing a website. Needless to say, there is nothing worse then exposing your script sources to the whole world, especially when database credentials are kept inside.
The question: How can I configure apache, so this situation would not be possible in the future? What lines should I add to apache2.conf, so that PHP files could not be downloaded, if mod_php is disabled?
Just add the following to the .htaccess in the root directory
php_admin_flag engine on
In this case user will get HTTP 500 error trying to read any file from this dir and below because no module defines php_admin_flag directive in case mod_php is off.
A more secure approach would be simply to not put things you don't want accessed in the document root in the first place. See my answer here which provides more detail; the basic idea is, if you don't ever want a file accessed via URL, don't put the damn file in a URL accessible place. 99% of your app code should not be under the document root; then it doesn't really matter what you do to your apache/php setup, you're still safe.
Related
I have been trying to understand a way to run PHP within .html in my server 2019. If there is a way to do so? can someone give me some guidance on it?
There was a post on this already How to run php code in html file on windows server?, but it does not seem to be much help.
Thank you for the help!
You cannot execute PHP code in html, you can do that only in .php file with the help of a web server.
You can have an ajax call that will interact with a url (which can be a PHP file resource) and that can return some processed result.
.php file can have html and it will work all fine but you need a web server to run the .php files. You can install wamp/xampp on your windows server and use that to do some processing using your .php file.
I'm not 100% sure why you would do this, .htm and .php files are both common on the internet. You either have to provide a full link containing the file type or perform some sort of rewrite to remove the extension for end user simplicity and this process would be fairly similar whether its .htm or .php youre dealing with.
To answer the question though, i havn't personally done this, but the link you provided implies it should be possible. What they're talking about is adjusting the "Handler Mappings" in IIS. This can be done at two levels, either at Webserver level or Website level. If you open Internet Information Services Manager (assumes you root access to the windows server and not just access to upload a website, if you don't the server admin will need to do this!) you will get a tree down the left side called "Connections". Under Connections either:
Click the PC Name (a server with a globe icon) for server level
Or
Click the website (just a globe under the sites folder for site Website level)
Then you need to find the Handler Mappings on the main window under IIS > Handler Mappings.
they are then suggesting creating a mapping for .htm and .html that follows the same rules as the .php mappings. I would read up on this page and what it does though.
https://learn.microsoft.com/en-us/iis/configuration/system.webserver/handlers/
A couple of things to note:
You may have to install PHP yourself using the Web Platform Installer as i recall it's not there by default on all (if any) versions of IIS. Until you do this you may not see the PHP handler mappings mentioned in the above section.
you will likely need a mapping for .htm and .html separately.
.htaccess files dont work in IIS, you usually have to find a web.config equivalent, i suspect you wont find one for this though due to how IIS works.
If you dont own the server or all of the sites on it, you may wantr to do this at website level first to make sure it doesn't break any of the other sites.
I currently have: www.MYPAGE.com/category (a site I reach from my shop site)
But I want: www.MYPAGE.com/shop/category (so the subpages kinda stack)
So how do I actually achieve that ? Working with .htaccess or a more simple way ?
if you want .htaccess
# Redirect old file path to new file path
Redirect /olddirectory/oldfile.html http://example.com/newdirectory/newfile.html
but you can use framework route if you use one
I'm assuming you're not using a CMS (Wordpress ect) and are just using plain old html.
To change the URL structure simply change directory structure.
So for example put your category index.html file in the directory /shop/category/ and the hyperlink to that page is now www.MYPAGE.com/shop/category/
Can't comment yet, so I'll risk a bad answer.
Up front, it's been a while since I used php (php4). But we never used php without some other software, usually Apache, to actually serve pages.
A quick check on the php and pear documentation sites doesn't show me that the situation has changed much.
Therefore, I'll start with the simplest description I can remember.
Your server machine runs an OS. You have a web server such as Apache, Nginx, Microsoft's IIS, lighttpd, etc., fielding queries from the web in http protocol. (Skipping discussion of https, look that up later.)
If we were using Apache's httpd, there would be a configuration file for Apache, usually called httpd.conf. In a Linux or Unix environment, this is usually under /etc/(somewhere) in the file system. In that file, you would have a declaration of the document root directory.
Unless you add other configurations, the directories under the declared document root are available to the web as they are in your file system. So, if the document root is set as /var/www and your your domain name (which is a separate topic I assume you are not asking about) is set up as in your example -- www.MYPAGE.com, then the file
/var/www/aboutus.html
would be available on the web as
www.MYPAGE.com/aboutus.html
and the directory
/var/www/shop/
would be available on the web as
www.MYPAGE.com/shop/
Apache allows you to redefine that structure with configuration directives such as Alias and ScriptAlias. Script configurations are the basics for hooking php into your httpd server. Apache's configurations for those can be found from their documentation page on url mapping, which you can find through the links above. (I don't have enough cred to post more than two URLS, sorry.)
You might want to look at virtual hosts (vhost) as well, but focus on Aliases for now.
Say you have product photos in
/var/app/products/photos
You could have an Alias like this:
Alias "/shop/images" "/var/app/products/photo"
and (if I remember right and if you don't have locations and url re-writing set up) they would be available on the web at
www.MYPAGE.com/shop/images
And, since I don't have enough cred to post more links, that's as far as I can go with this. Take a quick look at mod_rewrite in the httpd documentation.
Then look in the php documentation for related configuration directives, and it should take you maybe a day of practice at most to understand the basics.
Do get your boss or teacher to allow you to use the time and hardware to practice. Otherwise, your productivity will be stuck in the mud.
I am developing a website which provides the option that clients can upload their PHP scripts to a specific directory on my server. I want to make sure that my system is secure, and thus I do not want people to be able to use those PHP scripts to edit or view files outside of the directory they are uploaded to. In other words, if there is a file at public_html/directory1/foo.php, it should only be able to edit and view files in public_html/directory1, and should not be able to edit or view files anywhere else on the system. Is there any way of doing this?
This is super dangerous. Technically there are ways to do this if you know your way around linux/windows user and group configuration, Apache configuration, and PHP configuration. You'll need to run Apache under a user with extremely specific permissions and configure PHP to forbid certain types of commands (most notably the exec/system commands, but there are a lot of other ones that are likely to get you in trouble).
I'd strongly suggest you try to figure out a way to avoid giving your users the right to upload files to a folder where they'll be evaluated by the server as PHP. There's just too many things that can go wrong, and too many settings that can be overlooked.
If you do decide to go this route, do a lot of reading on secure PHP configuration and Apache Privilege Separation.
Since PHP is a server side script, I belive you'll find it hard to properly secure your system. Having said that, you can limit those files by running the apache server by a user which have no access to other directories, check SElinux for more info. please note that it's really hard to do so, you might forget even one file which can be used later to hack the system.
A better way might be running these server on top of a VM, so that even if someone hijacks the VM, you could always shut it down and restore it's data.
I have a doubt about PHP, Apache, server interpretation... I know that when a PHP file is loaded by the browser from an Apache+PHP server it is interpreted and only the HTML and plain text is showed but is there a way to download this files instead of interpreting them?
In this case it would be very unsecure because MySQL passwords would be unsafe.
Is it any security measure to prevent this or it's impossible to download this files?
As long as your server is setup properly it isn't going to happen.
A good step though is to put all of your actual passwords and whatnot in a config.php and including it. That way you can use htacces too block that file so that should your server ever start serving the raw pages that file won't be accessible anyway.
To clarify if you create a .htaccess file and place it in the same folder as the config.php with the below information that file will not be served, even if requested directly. Simply define your config stuff (db name, user name, password, hashes, etc) in this file and include_once it at the top of each page that needs it and you will be good to go.
<files config.php>
order allow,deny
deny from all
</files>
There is no way to 'download' PHP files, but for more security you can place your 'core' PHP files outsite of the public_html folder
Unless the PHP interpreter stops working for some reason, it's not something to worry about. Most servers are designed to interpret the PHP files every time they are requested and serve only the interpreted HTML text. It's possible to secure your sensitive PHP settings files just in case - often by placing them outside of the root directory with modified permissions.
The only way someone could download the files is to have a server set up that serves the raw files. As long as you don't have such a server set up, they're inaccessible. If the only server software on your system is Apache and it's configured correctly, people cannot see your source code.
However, if somebody seeing your source would render your app vulnerable, you might want to give some thought as to how you can fix that problem. Lots of secure open-source software exists — why would yours being open-source cause problems?
With proper configuration apache guarantees that files will always get interpreted and won't be offered for download.
You always may install fault update or make wrong configuration, but with skilled admin and stable release those cases just don't happen.
I have found that I have a similar attack to the one mentioned here
giant regex hack
The file keeps getting recreated and I cannot see from where its coming. How can I fix this? Anyone with a similar experience? I am running joomla 1.5.25
How can I trace the script that includes this file? How do I secure the site?
Its always recommended that you keep the permission of your .htaccess file as readable only.
chmod 0555 .htaccess
But regarding the hack being created again and again, there could be just numerous reasons. Like the host not properly configured, such that, on a shared hosting, a script running for a different domain can access scripts for your own domain.
Also check, what kind of files do you allow to upload, whether it's Admin or Frontend. Make sure, its not just any file upload is allowed. Executable files like PHP should not be allowed to be uploaded.
Yikes, that's not a good situation. I've seen it happen a few times and more often than not the solution was to recreate the website from a clean Joomla install, copy over the data and reinstall components.
However first check that the permissions are ok (no 666, 777, etc) and definitely check the VEL to see if any of your extensions have know vulnerabilities http://docs.joomla.org/Vulnerable_Extensions_List
You could also check on the Inj3ctor database http://www.1337day.com/ .
Most hacks like these happen via out of date extensions, open permissions, or as linuxeasy mentioned a poorly configured host.
Would highly recommend installing jhackguard or eyesite on the website. Eyesite will monitor your files and notify you when changes occur -http://extensions.lesarbresdesign.info/extensions/eyesite