FREE THOUGHT · FREE SOFTWARE · FREE WORLD

Home » Htaccess »  Security Enhancing with htaccess

Security Enhancing with htaccess

by Charles Torvalds 1 comment

[hide]

What kind of security can be implemented from within the Apache Web Servers htaccess files?

Recently I was asked the following question and decided to post it here for others.

I have set up a sandbox site for my students. They have subdirectories under a main directory on my site.

<files ~ "(php.ini|.htaccess|.php.?|.pl|.cgi)$">
order deny,allow
deny from all
</Files>

Works like a charm. One problem, though. If the student was savvy enough he could place an htaccess file in the subdirectory he has access to that reverses this file.

<files ~ "(php.ini|.htaccess|.php.?|.pl|.cgi)$">
order deny,allow
allow from all
</Files>

Darn it all, the student is now able to run php scripts in his directory.

I am sure there is a way to indicate in the htaccess file on the main level that any htaccess files in subdirectories should be ignored. It is a simple thing, but I can find how to do that.

My thoughts

You need to remove their ability to execute scripts. Heres a couple different ways I do it.

Inverse AddHandler ExecCGI Hack

This is cool, the AddHandler directive sets all the files ending in those extensions to be handled as cgi-script. The next line uses the Options directive to disable cgi-script completely. This is special so that they fall under the jurisdiction of the -ExecCGI command, which also means -FollowSymLinks

AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI

Combine that with

<files .htaccess>
order allow,
deny deny from all
</Files>

Then you might try blocking most HTTP Request Types, and disabling the RewriteEngine.

Options -ExecCGI -Indexes -All
 
RewriteEngine On
RewriteCond %{REQUEST_METHOD} !^(GET|HEAD|POST)
RewriteRule .* - [F]
 
RewriteEngine Off

If you'd rather have .pl, .py, or .cgi files displayed in the browser rather than executed as scripts, simply create a .htaccess file in the relevant directory with the following content:

RemoveHandler cgi-script .pl .py .cgi
ForceType text/plain .pl .py .cgi

Preventing Executables

Options -ExecCGI
RemoveHandler .cgi .pl .py .php4 .pcgi4 .php .php3 .phtml .pcgi .php5 .pcgi5
RemoveType .cgi .pl .py .php4 .pcgi4 .php .php3 .phtml .pcgi .php5 .pcgi5

February 7th, 2007

Comments Welcome

  • Al

    I'm not sure when you posted this, but excellent! I was looking the whole nigth till 06.00 in the morning and continued after a few hours sleep.

    The first examples just did not work on my install for some reason, or because it is inside Drupal, where I like to have others view all of my modules/libraries/themes/plugins dirs and file contents of my test-installation, but not execute them. Both for security as well as that its meant for others to see source code.

    First I did this:

    Options +Indexes
IndexOptions +FancyIndexing</code>
Then inside the added modules etc dirs, there are files like xxx.module, xxx.info and xxx.tpl.php that didn't show-up at all. To correct them, this worked:
<pre>
Order Allow,Deny
Allow from All

    Then I tried these examples and similar, but they all failed: http://www.askapache.com/htaccess/security-with-htaccess.html#deny-htaccess-htpasswd-access

    Sam for your examples at the beginning; they just don't work inside my Drupal/server config; don't know why.
    But when trying your ultimate example; everything works perfect and I get the php contents instead of executing!

    Options -ExecCGI
RemoveHandler .cgi .pl .py .php4 .pcgi4 .php .php3 .phtml .pcgi .php5 .pcgi5
RemoveType .cgi .pl .py .php4 .pcgi4 .php .php3 .phtml .pcgi .php5 .pcgi5

    I don't know why; think you haven't explained the last part of your conclusions and theory properly. But thanks a lot, because I couldn't find this elsewhere in many hours researching!

My Online Tools
Related Articles
Twitter

My Picks
Newest Posts
WordPress Development

inSourceCode

Hacking and Hackers

The use of "hacker" to mean "security breaker" is a confusion on the part of the mass media. We hackers refuse to recognize that meaning, and continue using the word to mean someone who loves to program, someone who enjoys playful cleverness, or the combination of the two. See my article, On Hacking.
-- Richard M. Stallman


It's very simple - you read the protocol and write the code. -Bill Joy

Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution 3.0 License, just credit with a link.
This site is not supported or endorsed by The Apache Software Foundation (ASF). All software and documentation produced by The ASF is licensed. "Apache" is a trademark of The ASF. NCSA HTTPd.
UNIX ® is a registered Trademark of The Open Group. POSIX ® is a registered Trademark of The IEEE.

Site Map | Contact Webmaster | License and Disclaimer | Terms of Service

↑ TOPMain