Apparently Apache 1.3 is used by no one except godaddy by now as I can't seem to find any relevant information for this.
I'd like to use .htaccess files to deny direct access to certain files on my site but without letting attackers know that such a file exists so I'd like to display a 404 "file not found" error instead of a 403 "forbidden" error.
Add following code in .htacess file.
RedirectMatch 404 ".*\/\..*"
it will prohibit access to all files or directories starting with a dot, giving a "404 Not Found" error.
with the help of
Is there a way to force apache to return 404 instead of 403?
Related
I have been running some automated security scans and the following URL triggers a 404:
/%FF%FE%3Cscript%3Ehaikumsg%28326%29%3C%2Fscript%3E
This is run from the route on the domain on an Apache server (so this should be easy to replicate).
My htaccess is setup with ErrorDocument 404 /site/404 but this isn't being caught. I know this because if I completely empty the htaccess file I am still presented with the same standard apache 404 page.
Clearly this is a tag hack so I have to be careful how its handled, however I'd like to know how to manage it so it at least does my /site/404 instead of nothing.
It turns out the solution is to move your 404 redirect to the Vhosts not htaccess!! Very simple solution and that will fix it. Apache obviously works with the URL before even getting to the htaccess file so moving the 404 redirect is needed at a higher level.
However if you need to decode and use the URLs then the following begins to help:
https://serverfault.com/questions/261683/how-does-apache-process-a-path-with-a-percent-encoded-url-in-it
Basically the solution is to add AllowEncodedSlashes On to the Vhosts file.
As per https://httpd.apache.org/docs/2.0/mod/core.html#allowencodedslashes.
I recently came across the AllowEncodedSlashes Apache directive:
https://intranet.csc.liv.ac.uk/manual/mod/core.html#AllowEncodedSlashes
If I hit a URL like this: www.domain.com/my/page/%2F/etcetera, Apache shows its default 404 error page:
However, I would like to return a custom 404 error page but how can I do it within my .htaccess? This doesn't work:
ErrorDocument 404 /entrypoint.php
I know I can do it if I have access to the server's httpd.conf configuration file (I tested locally). But what if I do not have access to the configuration on a remote site? Is there a way?
Thank you for the attention.
I am working on a website (scratchyone.com). I need to have my .htaccess redirect to an external page
http://scratchywon.github.io/scratchyone.com/errors/500.html
on a 500 error. I am forcing a 500 with php.
http://scratchyone.com/500/
Here is my current code:
ErrorDocument 500 http://scratchywon.github.io/scratchyone.com/errors/500.html
EDIT: ErrorDocument 404 http://scratchywon.github.io/scratchyone.com/errors/500.html works
Now that I am using php to send the 500 error, the page doesn't display. It just displays the browser's default "500: Could not display"
Internal error in .htaccess not relay custom ErrorDocument (!) and simulate 500 error via PHP is not quite possible - when your script run it's too late - error document redirection is handled by apache mod_core (!) and PHP only send status.
So I think you can forget about PHP 500-simulation.
Try to make a directory next to main .htaccess and inside make faulty .htaccess
Or maybe this will be helpful for you:
https://www.digitalocean.com/community/tutorials/how-to-configure-apache-to-use-custom-error-pages-on-ubuntu-14-04
Section about 500 provide information how to simulate this error via bad proxy.
how would I change the default 403 forbidden with a 423 locked instead, when denying someone in htaccess.?
example, usually when you use deny from in htaccess, apache would serve a 403 forbidden error.
is there a way to set what error message is actually served in place of the 403 forbidden?
I have not tried this, but im thinking maybe by defining custom error messages in htaccess might work,
for example,
ErrorDocument 403 /path/423.shtml
But something tells me my server would over ride that by default and still use the 403 error.
and no, i do not have shell access or access to the apache install files.
thanks.
You're close, but you need a script or something to set the header response. Using the ErrorDocument by itself will still cause the server to return a 403 Forbidden, eventhough the content returned will be what's in /path/423.shtml. You can use php or something to override that. So using the error document:
ErrorDocument 403 /path/423.php
Then in the 423.php file:
<?php
header("HTTP/1.1 423 Locked");
// whatever other content you want returned
?>
If you want to want to do it "pure" (without PHP or Perl code) you will need to use mod_rewrite and utilize the [R=XXX] which means redirect and XXX is the code you want to use, see: http://httpd.apache.org/docs/current/rewrite/flags.html#flag_r
The problem url links to my website are of the form
/fullpage.php%3F%20cp3_Hex%3D0F0200%26cp2_Hex%3D000000%26cp1_Hex%3DFC2024
The un-encoded url is
/fullpadge.php?cp3_Hex=0F0200&cp2_Hex=000000&cp1_Hex=FC2024
Apache returns a:
403: You don't have permission to access /fullpage.php? cp3_Hex=0F0200&cp2_Hex=000000
I have tried the following rewrite rule
RewriteRule ^/fullpage.php%3F(.*)$ /fullpage.php?$1
to no avail
Any ideas
You are almost certainly getting a 403 error.
The error is caused because ? is a banned file/directory name character on Windows and Linux. This means when Apache attempts to find a file or directory named "/document/root/index.php?blah" (after decoding) and it causes a 403 error. This is before the .htaccess files are read so you cannot use mod_rewrite in the .htaccess file to override this 403 error or an ErrorDocument defined in the .htaccess file to catch this error.
The only way to catch %3f is to use mod_rewrite or an ErrorDocument in a "VirtualHost" e.g. in httpd-vhosts.conf (or the main server configuration if there aren't any "Virtualhost"s e.g. in httpd.conf).