« Rare XHTML elements use for SEOhtaccess directives available on Powweb »
Security Enhancing with htaccess
February 7th, 2007
What kind of security can be implemented from within the Apache Web Servers htaccess files?
Recently I was asked the following question and decided to post it here for others.
I have set up a sandbox site for my students. They have subdirectories under a main directory on my site.
<files ~ "(php\.ini|\.htaccess|\.php.?|\.pl|\.cgi)$"> order deny,allow deny from all </files>
Works like a charm. One problem, though. If the student was savvy enough he could place an htaccess file in the subdirectory he has access to that reverses this file.
<files ~ "(php\.ini|\.htaccess|\.php.?|\.pl|\.cgi)$"> order deny,allow allow from all </files>
Darn it all, the student is now able to run php scripts in his directory.
I am sure there is a way to indicate in the htaccess file on the main level that any htaccess files in subdirectories should be ignored. It is a simple thing, but I can find how to do that.
My thoughts
You need to remove their ability to execute scripts. Heres a couple different ways I do it.
Inverse AddHandler ExecCGI Hack
This is cool, the AddHandler directive sets all the files ending in those extensions to be handled as cgi-script. The next line uses the Options directive to disable cgi-script completely. This is special so that they fall under the jurisdiction of the -ExecCGI command, which also means -FollowSymLinks
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi Options -ExecCGI
Combine that with
<files .htaccess> order allow, deny deny from all </files>
Then you might try blocking most HTTP Request Types, and disabling the RewriteEngine.
Options -ExecCGI -Indexes -All
RewriteEngine On
RewriteCond %{REQUEST_METHOD} !^(GET|HEAD|POST)
RewriteRule .* - [F]
RewriteEngine Off
If you'd rather have .pl, .py, or .cgi files displayed in the browser rather than executed as scripts, simply create a .htaccess file in the relevant directory with the following content:
RemoveHandler cgi-script .pl .py .cgi ForceType text/plain .pl .py .cgi
Preventing Executables
Options -ExecCGI RemoveHandler .cgi .pl .py .php4 .pcgi4 .php .php3 .phtml .pcgi .php5 .pcgi5 RemoveType .cgi .pl .py .php4 .pcgi4 .php .php3 .phtml .pcgi .php5 .pcgi5
I'm not sure when you posted this, but excellent! I was looking the whole nigth till 06.00 in the morning and continued after a few hours sleep.
The first examples just did not work on my install for some reason, or because it is inside Drupal, where I like to have others view all of my modules/libraries/themes/plugins dirs and file contents of my test-installation, but not execute them. Both for security as well as that its meant for others to see source code.
First I did this:
Then I tried these examples and similar, but they all failed: http://www.askapache.com/htaccess/security-with-htaccess.html#deny-htaccess-htpasswd-access
Sam for your examples at the beginning; they just don't work inside my Drupal/server config; don't know why.
But when trying your ultimate example; everything works perfect and I get the php contents instead of executing!
I don't know why; think you haven't explained the last part of your conclusions and theory properly. But thanks a lot, because I couldn't find this elsewhere in many hours researching!