I have a website with a "protected folder" using a .htaccess file.
Inside this folder the execution of CGIs is disabled, the .htaccess is as follow
Options -Indexes -Includes -ExecCGI
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi .php4 .php5 .js
Now I'm in the need of executing a PHP script in this folder (overiding the CGI disabling), lets suposse the name of my script is
my_script.php
What is the best way to maintain my security in this folder deniying the execution rights to ALL the scripts BUT to my_script.php?
I have full access to the .htaccess file so I can change what I want.
Kind regards and thanks a lot in advance.
P:.
Related
I'm setting up an apache webserver (on Ubuntu 18.04) with a CGI script, but I want a clean URL without "cgi" in it.
I already have a functioning script (in Perl), which, for the purposes of this question, I'll call myscript.
1. localhost/cgi-bin/myscript (works)
If I put the script in /usr/lib/cgi-bin/myscript, it works with URL localhost/cgi-bin/myscript.
2. localhost/myscript.cgi (works)
Alternatively, I can reconfigure /var/www/ to run files with .cgi or .pl extensions as CGI:
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
+ Options +ExecCGI
+ AddHandler cgi-script .cgi .pl
</Directory>
This works IF I add a .cgi extention: myscript.cgi. Then URL localhost/myscript.cgi works.
3. localhost/myscript ???
But I don't want cgi in my URL. I just want localhost/myscript to run myscript as CGI. (And I don't want to force other files in ROOT to be CGI).
Is this possible?
You cannot do that directly. However, you could Redirect requests for specific extension-less URLs to their corresponding .cgi.
You can test these with an .htaccess file to avoid having to reload the server.
In your <VirtualHost ...> section :
<Directory /your/web/dir/>
Require all granted
AllowOverride All
</Directory>
In /your/web/dir/.htaccess :
Options +ExecCGI
AddHandler cgi-script .cgi
Redirect "/test" /test.cgi
# or
# RedirectMatch "^/(test)$" /$1.cgi
Another possibility would be to use mod_rewrite, and redirect calls to any existing executable file to a file with the same name but with a .cgi extension. The extension-less file must only exist, and can be empty.
In /your/web/dir/.htaccess :
Options +ExecCGI
AddHandler cgi-script .cgi
RewriteEngine On
# If not already .cgi and executable, redirect to .cgi
RewriteCond /your/web/dir/%{REQUEST_URI} "!\.cgi$"
RewriteCond /your/web/dir/%{REQUEST_URI} -x
RewriteRule ^(.+) /$1.cgi [R]
Of course, you can use any other extension than .cgi. For example .x if you set AddHandler cgi-script .x.
I know this question has been already asked here. I am trying to use a script in my localhost. The script contains .htm files and an .htaccess file with the following code to parse those .htm files as PHP.
AddHandler application/x-httpd-php5 .htm .php .html
Now this is not working at all and i get a blank web page whenever i run it from my localhost. i.e "localhost/paystill_enterprise" and it give me blank webpage.
Now i have tried every solution i could find on internet like editing httpd.conf file etc. Here are some of the solutions i have tried.
1- I have tried editing httdp.conf and have added the following code one by one
<IfModule mime_module>
AddType application/x-httpd-php .php
AddType application/x-httpd-php .html
AddType application/x-httpd-php .htm
AddType application/x-httpd-php .txt
</IfModule>
<FilesMatch "\.html$">
ForceType application/x-httpd-php
</FilesMatch>
<FilesMatch "\.htm$">
ForceType application/x-httpd-php
</FilesMatch>
2- Tried adding these lines of code one by one in my .htaccess file
AddType application/x-httpd-php .html .htm
AddType application/x-httpd-php5 .html .htm
RemoveHandler .html .htm
AddType application/x-httpd-php .php .htm .html
No matter what i use, always get a blank page for "localhost/paystill_enterprise".
Note:
Sometimes it also happens that when i type the address "localhost/paystill_enterprise", the browsers asks me to save the file i.e the browser tries to download it.
Any suggestions?
The one time I did this all I did was add these 2 instructions to me .htaccess file.
AddHandler application/x-httpd-php .html
DirectoryIndex index.html index.php
So remove all your other changes and try just this one change as your other chnages may interfere with this.
I am trying to deny all connections to my website using .htaccess that looks something like this:
ErrorDocument 403 /errors/403\.php
SetEnvIfNoCase Request_URI "^/errors/403\.php$" HANDLE403
order deny,allow
deny from all
allow from 188.167.150.5
allow from 78.145.188.71
allow from env=HANDLE403
AddType application/x-httpd-php53 .php
AddType application/x-httpd-php5 .php52
AddType application/x-httpd-php .php4
The .htaccess file is stored in the root folder of my ftp and this works fine, however I want to use custom Error 403 page which is saved in Errors folder on the same ftp, so basically it gets blocked too. I have tried to create a new .htaccess in the Errors folder (as suggested in other topics) with this code:
order allow,deny
allow from all
AddType application/x-httpd-php53 .php
AddType application/x-httpd-php5 .php52
AddType application/x-httpd-php .php4
But it still doesn't work and I get just the default 403 page with "Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request."
Any idea how I could fix this, so that the error files are accessible by all, while the rest is denied for all except few specific IPs?
Use your custom handler like this:
ErrorDocument 403 /errors/403.php
order deny,allow
deny from all
allow from 188.167.150.5
allow from 78.145.188.71
I have a directory where users can upload files.
To avoid security issues (e.g. somebody uploading a malicious php script), I currently change the files' extension by appending .data for example, but then when downloading the file, they have to manually remove the .data.
Another common solution is to upload the files in a directory that is not served by Apache, and have a php script manage all downloads by calling readfile().
What I'd like to do is to simply disallow execution of any scripts (php, perl, cgi scripts, whatever I may install in the future) in the upload folder. This SO answer suggests adding the following line in a .htaccess file in that folder:
SetHandler default-handler
However, in my case this has no effect (the example php script I put in that folder is still executed). What am I doing wrong?
Apache configuration
The machine is a VPS (Virtual Private Server) running Debian GNU/Linux 6.0.7 (squeeze), and as far as I can remember (I note down all commands I run on that server, so my "memory" should be pretty accurate), I dindn't change anything in apache2 configuration, appart from running sudo apt-get install php5, and creating the the file /etc/apache2/sites-enabled/mysite.com with the following contents:
<VirtualHost *:80>
ServerAdmin webmaster#localhost
ServerName mysite.com
ServerAlias www.mysite.com
DocumentRoot /home/me/www/mysite.com/www/
<Directory />
Options FollowSymLinks
AllowOverride All
</Directory>
<Directory /home/me/www/mysite.com/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from All
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
Put this in your .htaccess:
<Files *>
# #mivk mentionned in the comments that this may break
# directory indexes generated by Options +Indexes.
SetHandler default-handler
</Files>
But this has a few security holes: one can upload a .htaccess in a subdirectory, and override these settings, and they might also overwrite the .htaccess file itself!
If you're paranoid that the behaviour of the option should change in the future, put this in your /etc/apache2/sites-enabled/mysite.com
<Directory /home/me/www/upload/>
# Important for security, prevents someone from
# uploading a malicious .htaccess
AllowOverride None
SetHandler none
SetHandler default-handler
Options -ExecCGI
php_flag engine off
RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo
<Files *>
AllowOverride None
SetHandler none
SetHandler default-handler
Options -ExecCGI
php_flag engine off
RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo
</Files>
</Directory>
If you can't modify the apache configuration, then put the files in a .htaccess with the following directory structure:
/home/me/www/
|- myuploadscript.php
|- protected/
|- .htaccess
|- upload/
|- Uploaded files go here
That way, nobody should be able to overwrite your .../protected/.htaccess file since their uploads go in a subdirectory of .../protected, not in protected itself.
AFAICT, you should be pretty safe with that.
My Godaddy setup wont allow me to edit the httpd.conf files, and the php_flag command doesn't work due to how they've implemented php for me.
I was able to use this in my .htaccess file:
SetHandler default-handler
AddType text/plain php
I put this in the directory above where my FTP user is allowed to access, which forces all PHP files in that directory, as well as all sub-directories to show php as plain text.
This will work for other file types as well. All you need to do is add another line with whatever extension of file you want to be forced to display in plain text. AddType text/plain cgi for example
I want to compile PHP code in specific .htm file, if file located at root directory of domain I can add
<Files file.htm>
AddType application/x-httpd-php5 .htm
</Files>
to .htaccess, but what should I do if file located at another directory(/sub/file.htm, for example)?
Maybe it could be done if your are using httpd 2.4 which has <if> supports
<If "%{PATH_INFO} =~ /.*\/sub\/(file|anotherfile|andanother)\.htm/">
AddType application/x-httpd-php5 .htm
</If>
Maybe you want to use the httpd.conf instead of .htaccess file. You could then use <Location>-directive in this case:
<Location /sub/file.htm>
AddType application/x-httpd-php5 .htm
</Location>
Note that if you want to use a regexp to match the location you need to write a ~ before the location or use the <LocationMatch>-directive.
E.g.:
<Location ~ "/sub/(file|anotherfile|andanother).htm">
AddType application/x-httpd-php5 .htm
</Location>
EDIT:
Another possible solution (also only in virtualhost-config) should be a combined <Directory> and <Files>-directive:
<Directory /sub>
<Files file.htm>
AddType application/x-httpd-php5 .htm
</Files>
</Directory>
Try FilesMatch:
<FilesMatch "file.htm$">
AddType ...
</Files>
It applies a regex to the filename, so this'll match any file path which has "file.htm" at the end. It'd apply to any file in any directory that ends with "file.html". Note that this would also match on "somefile.htm" and "/subdir/somefile.htm". If you've got other files in your site tree that could trigger this, you'll have to mod the regex to exclude them.