Security Enhancing with htaccess
What kind of security can be implemented from within the Apache Web Servers htaccess files?
Recently I was asked the following question and decided to post it here for others.
I have set up a sandbox site for my students. They have subdirectories under a main directory on my site.
<files ~ "(php.ini|.htaccess|.php.?|.pl|.cgi)$"> order deny,allow deny from all </Files>
Works like a charm. One problem, though. If the student was savvy enough he could place an htaccess file in the subdirectory he has access to that reverses this file.
<files ~ "(php.ini|.htaccess|.php.?|.pl|.cgi)$"> order deny,allow allow from all </Files>
Darn it all, the student is now able to run php scripts in his directory.
I am sure there is a way to indicate in the htaccess file on the main level that any htaccess files in subdirectories should be ignored. It is a simple thing, but I can find how to do that.
My thoughts
You need to remove their ability to execute scripts. Heres a couple different ways I do it.
Inverse AddHandler ExecCGI Hack
This is cool, the AddHandler directive sets all the files ending in those extensions to be handled as cgi-script. The next line uses the Options directive to disable cgi-script completely. This is special so that they fall under the jurisdiction of the -ExecCGI command, which also means -FollowSymLinks
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi Options -ExecCGI
Combine that with
<files .htaccess> order allow, deny deny from all </Files>
Then you might try blocking most HTTP Request Types, and disabling the RewriteEngine.
Options -ExecCGI -Indexes -All RewriteEngine On RewriteCond %{REQUEST_METHOD} !^(GET|HEAD|POST) RewriteRule .* - [F] RewriteEngine Off
If you'd rather have .pl, .py, or .cgi files displayed in the browser rather than executed as scripts, simply create a .htaccess file in the relevant directory with the following content:
RemoveHandler cgi-script .pl .py .cgi ForceType text/plain .pl .py .cgi
Preventing Executables
Options -ExecCGI RemoveHandler .cgi .pl .py .php4 .pcgi4 .php .php3 .phtml .pcgi .php5 .pcgi5 RemoveType .cgi .pl .py .php4 .pcgi4 .php .php3 .phtml .pcgi .php5 .pcgi5
« Rare XHTML elements use for SEOhtaccess directives available on Powweb »
Comments