Security Enhancing with htaccess

What kind of security can be implemented from within the Apache Web Servers htaccess files?

Recently I was asked the following question and decided to post it here for others.

I have set up a sandbox site for my students. They have subdirectories under a main directory on my site.

<files ~ "(php\.ini|\.htaccess|\.php.?|\.pl|\.cgi)$">
order deny,allow
deny from all
</files>

Works like a charm. One problem, though. If the student was savvy enough he could place an htaccess file in the subdirectory he has access to that reverses this file.

<files ~ "(php\.ini|\.htaccess|\.php.?|\.pl|\.cgi)$">
order deny,allow
allow from all
</files>

Darn it all, the student is now able to run php scripts in his directory.

I am sure there is a way to indicate in the htaccess file on the main level that any htaccess files in subdirectories should be ignored. It is a simple thing, but I can find how to do that.

My thoughts

You need to remove their ability to execute scripts. Heres a couple different ways I do it.

Inverse AddHandler ExecCGI Hack

This is cool, the AddHandler directive sets all the files ending in those extensions to be handled as cgi-script. The next line uses the Options directive to disable cgi-script completely. This is special so that they fall under the jurisdiction of the -ExecCGI command, which also means -FollowSymLinks

AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI

Combine that with

<files .htaccess>
order allow,
deny deny from all
</files>

Then you might try blocking most HTTP Request Types, and disabling the RewriteEngine.

Options -ExecCGI -Indexes -All
 
RewriteEngine On
RewriteCond %{REQUEST_METHOD} !^(GET|HEAD|POST)
RewriteRule .* - [F]
 
RewriteEngine Off

If you'd rather have .pl, .py, or .cgi files displayed in the browser rather than executed as scripts, simply create a .htaccess file in the relevant directory with the following content:

RemoveHandler cgi-script .pl .py .cgi
ForceType text/plain .pl .py .cgi

Preventing Executables

Options -ExecCGI
RemoveHandler .cgi .pl .py .php4 .pcgi4 .php .php3 .phtml .pcgi .php5 .pcgi5
RemoveType .cgi .pl .py .php4 .pcgi4 .php .php3 .phtml .pcgi .php5 .pcgi5

• Feed for this Entry
• Trackback
• htaccess htpasswd

Reader Comments

1. Al ~September 30, 2010 @ 4:56 pm

   I'm not sure when you posted this, but excellent! I was looking the whole nigth till 06.00 in the morning and continued after a few hours sleep. The first examples just did not work on my install for some reason, or because it is inside Drupal, where I like to have others view all of my modules/libraries/themes/plugins dirs and file contents of my test-installation, but not execute them. Both for security as well as that its meant for others to see source code. First I did this:

   Options +Indexes
   IndexOptions +FancyIndexing</code>
   Then inside the added modules etc dirs, there are files like xxx.module, xxx.info and xxx.tpl.php that didn&#039;t show-up at all. To correct them, this worked:
   <pre>
   Order Allow,Deny
   Allow from All

   Then I tried these examples and similar, but they all failed: http://www.askapache.com/htaccess/security-with-htaccess.html#deny-htaccess-htpasswd-access Sam for your examples at the beginning; they just don't work inside my Drupal/server config; don't know why. But when trying your ultimate example; everything works perfect and I get the php contents instead of executing!

   Options -ExecCGI
   RemoveHandler .cgi .pl .py .php4 .pcgi4 .php .php3 .phtml .pcgi .php5 .pcgi5
   RemoveType .cgi .pl .py .php4 .pcgi4 .php .php3 .phtml .pcgi .php5 .pcgi5

   I don't know why; think you haven't explained the last part of your conclusions and theory properly. But thanks a lot, because I couldn't find this elsewhere in many hours researching!

Add Comment!