What kind of security can be implemented from within the Apache Web Servers htaccess files?
Recently I was asked the following question and decided to post it here for others.
I have set up a sandbox site for my students. They have subdirectories under a main directory on my site.
<Files ~ "(php\.ini|\.htaccess|\.php.?|\.pl|\.cgi)$"> order deny,allow deny from all </Files>
Works like a charm. One problem, though. If the student was savvy enough he could place an htaccess file in the subdirectory he has access to that reverses this file.
<Files ~ "(php\.ini|\.htaccess|\.php.?|\.pl|\.cgi)$"> order deny,allow allow from all </Files>
Darn it all, the student is now able to run php scripts in his directory.
I am sure there is a way to indicate in the htaccess file on the main level that any htaccess files in subdirectories should be ignored. It is a simple thing, but I can find how to do that.
My thoughts
You need to remove their ability to execute scripts.
Heres a couple different ways I do it
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi Options -ExecCGI
This is cool, you are basically categorizing all those scripts extensions so that they fall under the jurisdiction of the -ExecCGI command, which also means -FollowSymLinks
Combine that with
<Files .htaccess> order allow, deny deny from all </Files>
Then you might try
Options -ExecCGI -Indexes -All
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS|HEAD)
RewriteRule .* - [F]
RewriteEngine Off
If you’d rather have .pl, .py, or .cgi files displayed in the browser rather than executed as scripts, simply create a .htaccess file in the relevant directory with the following content:
RemoveHandler cgi-script .pl .py .cgi
Security Security personal protection, security systems and security cameras for just about every need!
htaccess security apache cgi execute rewriterule
Related Articles