Prevent Non-Existent Directories From Loading Wildcard Files - apache

I am looking to prevent URLs for directories that don't exist from loading files with the same basename. For example http://domain.com/test/ is loading test.php. The test directory does not exist, but the file test.php does. I can see how this would be useful in most cases, but I am looking to disable it for my project.
I am on an Apache server. Is there a way to disable this option through an .htaccess file?
If there is an actual name for this type of feature, maybe "wildcard filename helper" or something like that, I'd like to know the official term too. Thanks!

This happens because MultiViews is enabled on the server.
If the apache configuration allows you to do so, you should be able to disable it by putting the following in .htaccess:
Options -MultiViews

Related

Is there any security differences between using .htaccess and moving all files outside web root directory?

I am trying to decide whether to use .htaccess files in each sub-directory to deny all requests for specific files (while also denying directory indexes), or whether it is more security conscious to move all files except for essential files (index.php, .htaccess, robots.txt) outside the root directory and call them from the index file.
Are there any critical differences in security between these two methods for securing files in my web application?
Here is a view of what the .htaccess looks like in the root directory.
# pass the default character set
AddDefaultCharset utf-8
# disable the server signature
ServerSignature Off
<FilesMatch "\.(htaccess|htpasswd|ini|phps|fla|psd|log|sh|lock|DS_Store|json|)$">
order allow,deny
allow from all
</FilesMatch>
# disable directory browsing
Options All -Indexes
# prevent display of select file types
IndexIgnore *.wmv *.mp4 *.avi *.etc
However, this would not stop someone from accessing a file if they knew the directory structure such as https://www.example.com/security/please_dont_look.cfg
Although that file does not print anything, I don't want anyone to know it exists, and don't want a site-specific solution like using modredirect to redirect calls to specific files.
I could use a .htaccess file in each directory such as this:
order deny,allow
deny from all
From this question and reply (Prevent access to files in a certain folder)
Is one solution more bullet-proof than the other?
As always in such complex systems, security here is about having several lines of defense, keeping things simple and attempting to prevent as many attack vectors as possible.
Theoretically both solutions should provide you with the exact same level of security - the files would not be accessible in either case.
I'd recommend moving files that should not be accessed directly into a directory outside of the web root directory. It is quite easy to screw up htaccess files and thats just not possible when you move the files outside of your webroot. This will also prevent timing attacks against the directory structure of your server: reading htaccess files comes with a time penalty and that might be measureable, especially if your htaccess files get big and you have plenty of them for each sub directory. Actually I'd recommend skipping htaccess entirely, just disable indexes directly in your vhost configuation, such that Apache does not have to look for htaccess files at all, speeding up your website.
Additionally, in case you run php via fcgi, you should disallow file access on a file system level for apache and just allow access from php. With this setup it should be outright impossible to access your files by attacking the webserver (excluding php) unless you have some privilege escalation vulnerability (in which case you are screwed anyways).
The only way to access your confidential files in this setup would be to convince PHP to read the file or to mess with the file system, i.e. by creating a hard link from your web root into your "confidential files outside web root"-directory. Preventing against that boils down to ensuring your PHP configuration is as restrictive as possible, file creation inside the webroot is disallowed and, most importantly, ensuring that the PHP application itself is not vulnerable.

How can I get Apache to serve index files from subdirectories that have the same name as the subdirectory?

I was just asked to work on a terrible site that the client is running off IIS. I can't make changes to the live server so I attempted to install the site on my testing server running Apache.
The site's homepage is up and running but I cannot navigate to any subdirectories. The nav menu has links like /about-us/ -- however, there is no index.php file in the about-us directory. Instead there is a file named about-us.php.
If I was getting paid to fix the site up I would do the work to rename the files and/or links, but for now I just want to get this thing running so I can make my CSS and content edits and be done with it. I assume there is some easier way (using htaccess?) to dynamically tell Apache that, when directed to a subdirectory, look for /foo/foo.php instead of /foo/index.php -- right now all I get is a directory listing or permission denied if I turn indexing off.
I've been Googling around but can't find anything that looks like the same problem -- can one of you rewrite gurus please point me in the right direction?
The best approach for you is to set the appropiate DirectoryIndex for each directory as in:
<Directory /path/to/about-us>
DirectoryIndex about-us.php
</Directory>
You can also define a single "controller" in case there is no index page found, this is done like:
FallBackResource /index.php

How to do URL rewriting in Apache through Chef?

I've made a cookbook in Chef to install a web application, Apache and PHP.
This web application has a PHP document that clients access in this URL:
http://localhost/www-app/ClientFE
With this I have a problem. By default PHP will only interpret documents that have a PHP extension, and as my URL doesn't have it, it gets interpreted as text. I can't change the file's extension because the client (which is also software) should not be modified.
What I want to accomplish is to make PHP interpret that document, and for what I've investigated it can be accomplished in three ways at least: configure appropriately PHP, create an alias, create a rewrite rule.
First: I could configure PHP to interpret the desired document:
<FilesMatch "/www-app/ClientFE">
SetHandler application/x-httpd-php
</FilesMatch>
Second: I could do it through mod_write (I would have to rename the fill in the web app, which is also acceptable for me):
RewriteCond ^/www-app/ClientFE /www-app/ClientFE.php
Third: I could do it with mod_alias in a similar fashion than mod_rewrite.
The 3 are good for me, but my problem is: how to do them with Chef ? I haven't been able to find useful docs about it, and I have already tried to put this in my recipe (I found them around the Internet but they haven't worked):
apache_rewrite do
source "/www-app/ClientFE"
target "/www-app/ClientFE.php"
end
and this
apache_module "alias" do
source "/www-app/ClientFE"
target "/www-app/ClientFE.php"
end
Some people in my company suggested 2 valid solutions:
Put the configuration in a .htaccess inside my web application. This works for me and allows to use the alternatives I mentioned above.
Do nothing! It happens that the Multiviews option in the Apache2 cookbook is enabled by default, and it allows Apache to resolve URL http://localhost/A as http://localhost/A.php .... I mean, if Apache is asked about file A, and it doesn't find it, then it will search for A.php instead.
From the two, I chose the later, and yes, it works. It wasn't working before because in my many attempts I created both A and A.php and in that case the Multiviews has no effect.

How Come Everybody Can See My Private Files?

Sorry for the newbie question...
When I go to http://www.plans4boats.com/scripts/youtubeplayer/ in Google Chrome, I can see a full listing of the files there. What should I do if I don't want any old hacker to just come in and view/copy my source codes? Does it have something to do with htaccess?
I discovered that putting a blank index.html file in the folder helps for THAT folder, but it still leaves all subfolders vulnerable.
What should I google for more information on how to set up my server to prevent this?
Just set Options -Indexes for that particular directories either in an .htaccess file or a <Directory> or <Location> container.
What you need to do is turn of Directory Listing for your specific server. I don't know what server you're using so I can't walk you through it, but just google your server name and how to disable directory listing.
I created a file called .htaccess and put the following contents:
IndexIgnore /

Popular techniques to debug .htaccess

I'm a self-taught coder and I like to debug by echoing suspicious variables and commenting out code.
Lately, I've had to learn more about the .htaccess file. I need it to do things like interpret php scripts as php5, url rewriting, limit file upload size etc.... I have a lot of trouble debugging a .htaccess file. I often have to migrate PHP applications from one shared hosting environment to another. Sometimes this breaks the .htaccess file (or instead, something in the .htaccess file breaks the site). I check to make sure domain names are updated.
Are there popular techniques for debugging a .htaccess file? Is it just look in the apache logs? Anything else?
Looking in the apache logs is the easiest way to debug .htaccess imho (adding rewriteLog Directive if necessary)
About migrating: if you are not using any physical file paths inside .htaccess (i.e. /var/www/site/script.php) they should be working without problems. If this is not the case, first try to remove all options and leave only redirect directives, in this mode you can see if it's problem with server configuration which denies rewriting of default settings.
Some reference