Is there a way to stop people from accessing directories where all my members file's are stored.
For example, I have mysite.com/members/$mem_id and in there that particular members files are stored, such as images. Is there a way to stop all of these been accessed directly from the URL bar, without placing index.php in every folder, possibly with .htaccess?
Also, once the folders have being blocked, the site itself still needs to access the files in them to display round the site.
To disable directory listing you can use .htaccess and adding this line
Options -Indexes
Related
I have a static website on an Apache server. I have an folder (who's name I don't give out to anyone else) that I don't want anyone to randomly stumble upon. Is there any way to have directory listing under a different page?
To clarify, I have directory listing turned off at the root folder of example.com. In the subfolder that correspondes to example.com/folder1/, I have another .htaccess that allows directory listing. However, I don't want someone who types in example.com/folder1/index.html or the equivalent to see the directory listing. I want them to have to go to example.com/folder1/otherindex.html to see the listing.
Is this possible with Apache?
Should be
DirectoryIndex filename
in your .htaccess
I am trying to decide whether to use .htaccess files in each sub-directory to deny all requests for specific files (while also denying directory indexes), or whether it is more security conscious to move all files except for essential files (index.php, .htaccess, robots.txt) outside the root directory and call them from the index file.
Are there any critical differences in security between these two methods for securing files in my web application?
Here is a view of what the .htaccess looks like in the root directory.
# pass the default character set
AddDefaultCharset utf-8
# disable the server signature
ServerSignature Off
<FilesMatch "\.(htaccess|htpasswd|ini|phps|fla|psd|log|sh|lock|DS_Store|json|)$">
order allow,deny
allow from all
</FilesMatch>
# disable directory browsing
Options All -Indexes
# prevent display of select file types
IndexIgnore *.wmv *.mp4 *.avi *.etc
However, this would not stop someone from accessing a file if they knew the directory structure such as https://www.example.com/security/please_dont_look.cfg
Although that file does not print anything, I don't want anyone to know it exists, and don't want a site-specific solution like using modredirect to redirect calls to specific files.
I could use a .htaccess file in each directory such as this:
order deny,allow
deny from all
From this question and reply (Prevent access to files in a certain folder)
Is one solution more bullet-proof than the other?
As always in such complex systems, security here is about having several lines of defense, keeping things simple and attempting to prevent as many attack vectors as possible.
Theoretically both solutions should provide you with the exact same level of security - the files would not be accessible in either case.
I'd recommend moving files that should not be accessed directly into a directory outside of the web root directory. It is quite easy to screw up htaccess files and thats just not possible when you move the files outside of your webroot. This will also prevent timing attacks against the directory structure of your server: reading htaccess files comes with a time penalty and that might be measureable, especially if your htaccess files get big and you have plenty of them for each sub directory. Actually I'd recommend skipping htaccess entirely, just disable indexes directly in your vhost configuation, such that Apache does not have to look for htaccess files at all, speeding up your website.
Additionally, in case you run php via fcgi, you should disallow file access on a file system level for apache and just allow access from php. With this setup it should be outright impossible to access your files by attacking the webserver (excluding php) unless you have some privilege escalation vulnerability (in which case you are screwed anyways).
The only way to access your confidential files in this setup would be to convince PHP to read the file or to mess with the file system, i.e. by creating a hard link from your web root into your "confidential files outside web root"-directory. Preventing against that boils down to ensuring your PHP configuration is as restrictive as possible, file creation inside the webroot is disallowed and, most importantly, ensuring that the PHP application itself is not vulnerable.
Is it possible to configure Apache to disallow websurfers to access particular folders and seeing a directory listing but allow browsers to retrieve files from those folders. Let's say you have some images in a folder, you might want to allow users to see specific ones but not to view the contents of the entire folder. The user can only see the ones known to exist on the server in a particular folder.
Yes it is indeed possible using any of these directives:
Options -Indexes
OR
IndexIgnore *
My main index.php calls a couple of scripts via JQuery from a subdirectory. I need to block direct access to any files in this directory, but allow them to be accessed by index.php. I have tried the simply:
deny from all
approach, but this blocks even Jquery from loading the script. There is also an /images subdirectory that needs to be blocked from direct access. deny all disallows the image from being called in any way. Does anyone know how to do this?
just use the file-functions of php to get the content of the protected files, so only your php-file (e.g. index.php) is able to handle with the files of the protected dir.
useful functions are:
file_get_contents()
fread()
...
then you can include the js-code in your output-html or get the content out as image (then you should take a look at the header() function.
I would like to have any directory auto-indexing by Apache not display a link to the parent directory. In my current setup, I have only enabled access to all subdirectories, thereby implicitly denying access to the one parent directory of each of those subdirectories. Unfortunately, the auto-indexing is still displaying a link to the parent directory even though clicking on that link results in a 403 response.
IndexIgnore ..
You can read more on the Auto-Index options on Apache Docs.