Security Enhancing with htaccess

What kind of security can be implemented from within the Apache Web Servers htaccess files?

Recently I was asked the following question and decided to post it here for others.


I have set up a sandbox site for my students. They have subdirectories under a main directory on my site.

<files ~ "(php.ini|.htaccess|.php.?|.pl|.cgi)$">
order deny,allow
deny from all
</Files>

Works like a charm. One problem, though. If the student was savvy enough he could place an htaccess file in the subdirectory he has access to that reverses this file.

<files ~ "(php.ini|.htaccess|.php.?|.pl|.cgi)$">
order deny,allow
allow from all
</Files>

Darn it all, the student is now able to run php scripts in his directory.

I am sure there is a way to indicate in the htaccess file on the main level that any htaccess files in subdirectories should be ignored. It is a simple thing, but I can find how to do that.

My thoughts

You need to remove their ability to execute scripts. Heres a couple different ways I do it.

Inverse AddHandler ExecCGI Hack

This is cool, the AddHandler directive sets all the files ending in those extensions to be handled as cgi-script. The next line uses the Options directive to disable cgi-script completely. This is special so that they fall under the jurisdiction of the -ExecCGI command, which also means -FollowSymLinks

AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI

Combine that with

<files .htaccess>
order allow,
deny deny from all
</Files>

Then you might try blocking most HTTP Request Types, and disabling the RewriteEngine.

Options -ExecCGI -Indexes -All

RewriteEngine On
RewriteCond %{REQUEST_METHOD} !^(GET|HEAD|POST)
RewriteRule .* - [F]

RewriteEngine Off

If you'd rather have .pl, .py, or .cgi files displayed in the browser rather than executed as scripts, simply create a .htaccess file in the relevant directory with the following content:

RemoveHandler cgi-script .pl .py .cgi
ForceType text/plain .pl .py .cgi

Preventing Executables

Options -ExecCGI
RemoveHandler .cgi .pl .py .php4 .pcgi4 .php .php3 .phtml .pcgi .php5 .pcgi5
RemoveType .cgi .pl .py .php4 .pcgi4 .php .php3 .phtml .pcgi .php5 .pcgi5

Htaccess

Comments