What kind of security can be implemented from within the Apache Web Servers htaccess files?

Recently I was asked the following question and decided to post it here for others.

I have set up a sandbox site for my students. They have subdirectories under a main directory on my site.

<Files ~ "(php\.ini|\.htaccess|\.php.?|\.pl|\.cgi)$">
order deny,allow
deny from all
</Files>

Works like a charm. One problem, though. If the student was savvy enough he could place an htaccess file in the subdirectory he has access to that reverses this file.

<Files ~ "(php\.ini|\.htaccess|\.php.?|\.pl|\.cgi)$">
order deny,allow
allow from all
</Files>

Darn it all, the student is now able to run php scripts in his directory.

I am sure there is a way to indicate in the htaccess file on the main level that any htaccess files in subdirectories should be ignored. It is a simple thing, but I can find how to do that.

My thoughts

You need to remove their ability to execute scripts.

Heres a couple different ways I do it

AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi 
Options -ExecCGI

This is cool, you are basically categorizing all those scripts extensions so that they fall under the jurisdiction of the -ExecCGI command, which also means -FollowSymLinks

Combine that with

<Files .htaccess>
order allow,
deny deny from all
</Files>

Then you might try

Options -ExecCGI -Indexes -All 
 
RewriteEngine On 
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS|HEAD) 
RewriteRule .* - [F] 
 
RewriteEngine Off

If you’d rather have .pl, .py, or .cgi files displayed in the browser rather than executed as scripts, simply create a .htaccess file in the relevant directory with the following content:

RemoveHandler cgi-script .pl .py .cgi

Security Security personal protection, security systems and security cameras for just about every need!

Related Articles