Security Enhancing with htaccess

FREE THOUGHT · FREE SOFTWARE · FREE WORLD

« Rare XHTML elements use for SEOhtaccess directives available on Powweb »

What kind of security can be implemented from within the Apache Web Servers htaccess files?

Recently I was asked the following question and decided to post it here for others.

I have set up a sandbox site for my students. They have subdirectories under a main directory on my site.

<Files ~ "(php\.ini|\.htaccess|\.php.?|\.pl|\.cgi)$">
order deny,allow
deny from all
</Files>

Works like a charm. One problem, though. If the student was savvy enough he could place an htaccess file in the subdirectory he has access to that reverses this file.

<Files ~ "(php\.ini|\.htaccess|\.php.?|\.pl|\.cgi)$">
order deny,allow
allow from all
</Files>

Darn it all, the student is now able to run php scripts in his directory.

I am sure there is a way to indicate in the htaccess file on the main level that any htaccess files in subdirectories should be ignored. It is a simple thing, but I can find how to do that.

My thoughts

You need to remove their ability to execute scripts.

Heres a couple different ways I do it

AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI

This is cool, you are basically categorizing all those scripts extensions so that they fall under the jurisdiction of the -ExecCGI command, which also means -FollowSymLinks

Combine that with

<Files .htaccess>
order allow,
deny deny from all
</Files>

Then you might try

Options -ExecCGI -Indexes -All
 
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS|HEAD)
RewriteRule .* - [F]
 
RewriteEngine Off

If you’d rather have .pl, .py, or .cgi files displayed in the browser rather than executed as scripts, simply create a .htaccess file in the relevant directory with the following content:

RemoveHandler cgi-script .pl .py .cgi

Full Example

Options -ExecCGI
RemoveHandler .cgi .pl .py .php4 .pcgi4 .php .php3 .phtml .pcgi .php5 .pcgi5
RemoveType .cgi .pl .py .php4 .pcgi4 .php .php3 .phtml .pcgi .php5 .pcgi5

« Rare XHTML elements use for SEO
htaccess directives available on Powweb »

My Picks

Support Freedom or Die

Newest Posts

I'm Reading

The love of liberty is the love of others; the love of power is the love of ourselves.
-- William Hazlitt

htaccess Guide

The power of the Web is in its universality. Access by everyone regardless of disability is an essential aspect. Tim Berners-Lee

No comments yet. Be the first!

Go for it!

It's very simple - you read the protocol and write the code. -Bill Joy

HTML | DCMI | GRDDL | XOXO | XDMP | XFN | DOM | XML | XHTML 1.1 Strict | CSS 2.1 | W3C

Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution 3.0 License, just credit with a link.
This site is not supported or endorsed by The Apache Software Foundation (ASF). All software and documentation produced by The ASF is licensed. "Apache" is a trademark of The ASF. NCSA HTTPd.
UNIX ® is a registered Trademark of The Open Group. POSIX ® is a registered Trademark of The IEEE.

Site Map | Contact Webmaster | Glossary | License and Disclaimer | Terms of Service

↑ TOP
Main