.htaccess - Compiled Security Wisdom

[exotic]

Quote:

Originally Posted by jakzun37

i don't have an .htaccess file in my OS root directory - am i to make one?

my site won't load, just blank space

Msszroberts asked me to open a new thread, so here it is !

One possible approach for the .htaccess in the osdate root is:

Code:

###############################
# Place this file in your osDate root directory
###############################

# Protect .htaccess and .htpasswd files
<FilesMatch "^\.ht">
  Order allow,deny
  Deny from all
</FilesMatch>

# Protect config.* files
<FilesMatch "^config(\..*)?$">
  Order deny,allow
  Deny from all
</FilesMatch>

# Protect files depending on extension
<FilesMatch "^(.*)\.(inc|inc\.php|tpl|tpl\.php|sql|txt|dat|csv|exe|dll)$">
  Order deny,allow
  Deny from all
</FilesMatch>

# Disable directory browsing
Options -Indexes

###############################

The first section protects all files beginning with .ht in all directories from direct browser access. This setting should normally already be set in apache's httpd.conf, but it won't harm you if you define it here again.

The second section protects all files beginning with config. from direct browser access.

The third section protects all files with the extensions .inc .inc.php .tpl .tpl.php .sql .txt .dat .csv .exe .dll from direct browser access.

The fourth section disables directory browsing aka the listing of the directory contents.

"protect from direct browser access" means that a file cannot be directly viewed, executed or read from a web browser, but can be executed if included in another file or called from another file that is not protected by .htaccess

If the rules how filenames are described look strange to you, find some literature about regular expressions. Weird stuff, but also very valuable if you want to evaluate user input in some data entry form. osDate checks the correctness of email addresses with regular expressions.

All rules are automatically applied to all subdirectories.

We placed a different .htaccess file in every subdirectory we did not want to be accessable directly:

Code:

###############################
# Place this file in the following directories:
# - cache
# - cities
# - counties
# - includes
# - install_files
# - language
# - libs
# - myconfigs
# - SEF_URLs
# - sql
# - states
# - temp
# - templates-c
# - userimages
# - uservideos
# - zipcodes
#
# Do NOT place this file in the following subdirectories:
# - admin	(need to run the php-scripts)
# - images	(images are directly accessed from smarty templates)
# - javascript	(need to run the js-files)
# - templates	(need to access the css-files. tpl-files are protected by .htaccess in root)
#
# Yet to test:
# - banners
# - chat
# - cronjobs
# - emailimages
# - forum
# - icons
# - imgEditor
# - modules
# - mpeg2flv
# - php121
# - plugins
# - videos
###############################

# Protect all files
<Files ~ >
  Order deny,allow
  Deny from all
</Files>

###############################

The directories where this .htaccess file can be placed are listed above.

Of course, some rules are "doppelt gemoppelt", as we say in Germany, meaning that some files are protected by more than one rule.

My special thanks go to Michael Desmarais, whose posts first introduced me to the importance and contents of .htaccess files.

I am no security specialist, so any comments are highly apreciated. There are some directories that need to be evaluated as they can or have to be protected with .htaccess (see above).

exotic

[bop]

Will this work to prevent public access to the phpbb viewtopic pages? Should I use a smarty session tag on them?

[kunst]

Exotic,

your .htaccess script is very cool, the only problem I got is:

I cant browse my site if Im putting the script into the root dir and if in another folder like 'admin', it wont browse that folder - it says:
Internal Server Error -
The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, service@webmailer.de and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

What to do? Or did I make something wrong?

Please help!

[exotic]

The script was a little bit too cool

In the post the first section in the first file had two errors:

Code:

<FilesMatch ^\.ht>
  Order allow,deny
  Deny from all
</Files>

1. Error: The quotation marks around ^\.ht were missing.
2. Error: The end tag did not match to the start tag

The corrected security rule is:

Code:

<FilesMatch "^\.ht">
  Order allow,deny
  Deny from all
</FilesMatch>

I stumbled into this as I changed something from a rule I used before. This rule was

Code:

<Files .htaccess>
  Order allow,deny
  Deny from all
</Files>

The <Files> tag accepts exact file names, wheras <FilesMatch> expects a pattern match, and this match has to be surrounded by quotation marks.

I already corrected this in the original post.

Sorry, I hope we all learned something, and thank you, Kunst, for pointing this out.

exotic

[exotic]

Quote:

Originally Posted by bop

Will this work to prevent public access to the phpbb viewtopic pages? Should I use a smarty session tag on them?

Never installed phpbb, so I can only try to give some general answer.

The idea behind .htaccess file security is to prevent that some dude sitting at some web browser runs a script on your site that he is not supposed to run or displays a file he is not supposed to display.

To give an example:

In the osDate /libs directory we have the libraries of modOsDate, PEAR and the Smarty template engine, each library containing a bucketful of php scripts. These scripts are included in osDate scripts to use the functionality of the library, e.g. the smarty template engine. But everybody knowing this can try to run a library script directly, let's say \libs\Smarty\internals\core.rmdir.php . Those of you who mess around with UNIX/LINUX will know that rmdir is the command to remove directories. Would you want to give somebody the right to run this file? Probably not, although in this case nothing would happen, as the script contains a function and as long as this function is not called, nothing will happen. But you do not want to check this for every script in every library, so the best thing you can do is to say: hands off the libs directory! These files are only to be included, but not to run directly from some dudes web browser in Bagdad. htaccess handles this for you.

Another example:

The compiled smarty templates are located in templates-c, a well know fact for those who ever seriously modded an osDate site. These compiled templates have a file extension of .tpl.php so they can be run directly from a browser. Do you want this to happen? I don't think so.

Back to your question.

If the viewtopic pages are not to run directly from a browser, you can implement some htaccess rule to hide them.

If you want to grant or deny access to them depending on the user or a role the user is belonging to, you have to implement this within the php script itself. osDate uses the memberships table to administer the rights and stores the rights of the current user in the session array var security, that can be queried from the php scripts or the smarty templates. The access control of the user menu is a good example. If the role of the current user does not allow to use the internal email system, the user gets some javascript alert message. This message is triggered by the corresponding element of the session array var security.

exotic

[vijaynair]

Hi exotic,

Can you email me the full .htaccess file as a txt file to me. I want to include this as default in osDate 2.1.0 onwards.

Thanks

[SSegarane]

Hi exotic,

Thank you for this wonderful contribution.

I have the following question:

I am currently running a few sites on subdomains and I have uploaded your ".htaccess" file on the root of the main domain; would this mean all the files (on the main domain as well as subdomains) with extension mentioned on the .htaccess files will be protected?, or should I drop it at the root of every subdomain as well?

I guess the .htaccess file at the root takes care of everything underneath, but would like your input on this.

Cheers!

[exotic]

.htaccess security protects directories and files based on the directory hierarchy, meaning that the rules in a .htaccess are passed down to all subdirectories. I assume that your subdomain root directories are parallel to each other, so the strategy is to protect each subdomain separately:

/
xxx/subdomain1/xxxxxxxxxxxxxxxxxxx(place .htaccess file type 1 here)
xxxxxx/subdomain1/admin
xxxxxx/subdomain1/banners
xxxxxx/subdomain1/cachexxxxxxxxxx(place .htaccess file type 2 here)
xxxxxx/subdomain1/...
xxx/subdomain2/xxxxxxxxxxxxxxxxxxx(place .htaccess file type 1 here)
xxxxxx/subdomain2/admin
xxxxxx/subdomain2/banners
xxxxxx/subdomain2/cachexxxxxxxxxx(place .htaccess file type 2 here)
xxxxxx/subdomain2/...

You can also place file type 1 in /, as the rules in this file can be passed down to all subdirectories of /. I tested this on my server, and it worked.

File type 2 has to be placed into each individual subdirectory.

You can test the efficiency of your .htaccess by trying to access files with the extensions .inc, .inc.php, .tpl, .tpl.php, .sql, .txt, .dat, .csv.

When you get an error 403 Forbidden you are safe.

Another issue is the visibility of .htaccess files in your FTP client. I am using filezilla and have to use the menu option "View" -> "Show hidden files".

.exe and .dll are also protected, although somebody trying to "run" an executable in a browser will only see the content of the .exe file.

Besides, I assume most of us are hosted on linux systems

[SSegarane]

Hi Exotic,

Thank you for the input.

I realised I had to drop this file at the root of every subdomain to make it work for that domain and folders underneath.

Quote:

# Protect all files
<Files ~ >
Order deny,allow
Deny from all
</Files>

I put the above inside the folders you have pointed out and it works wonders - thanks for that too.

One more query; how do I stop people stealing or looking at my scripts by typing on the browser something like "http://www.mydomain.com/script/jsscript.js". I know, one of the ways is to encrypt part of HTML so that the path of these files will be a gobbledygook on the source code. Where do I get this kind of encryption tool?

Cheers!

[msdesmarais]

Have you tried adding it to the following section?

Code:

# Protect files depending on extension
<FilesMatch "^(.*)\.(inc|inc\.php|tpl|tpl\.php|sql|txt|dat|csv|exe|dll|js)$">
  Order deny,allow
  Deny from all
</FilesMatch>