Solved

.htaccess allow only php

Posted on 2013-05-16
7
1,260 Views
Last Modified: 2013-06-03
Im trying to write a .htaccess file which will block access to .inc files on my apache web server.

At the moment a user can type in http://myserver/dbConf.inc and they get all my database credentials, not a great idea :-S

So after reading about .htaccess Ive done the following:-
<Files *.inc>
    Order Deny,Allow 
    Deny from all
</Files>

<Files *.php>
    Order Deny,Allow 
    Deny from all
</Files>

<Files *.png>
    Order Deny,Allow 
    Deny from all
</Files>


<Files *.swg>
    Order Deny,Allow 
    Deny from all
</Files>

Open in new window


Which successfully blocks access to my dbConf.inc file, but also my index.php file :-S

What Im trying to do is only allow access to *.php, *.png, *.swg and block access to everything else, which I thought would be acomplised by:-
<Files *.*>
    Order Deny,Allow 
    Deny from all
</Files>

Open in new window


What am I doing wrong?
0
Comment
Question by:tonelm54
7 Comments
 
LVL 19

Expert Comment

by:darron_chapman
ID: 39172720
Is there a reason your credentials are in an .inc file? They really should be in a PHP file and not in a plain text, downloadable file.  You can include the file with the content below and name it dbConf.php ... it won't show up when someone goes to  http://myserver/dbConf.php
<?php
$userName = "admin";
$passWord = "mypassword";

Open in new window

0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 39172738
Standard practice is what darron suggests, make it a *.php file.  You will see it done that way in Wordpress, phpMyAdmin, and many other applications including mine.
0
 

Author Comment

by:tonelm54
ID: 39172746
Ok, done that, which has worked.

What Im now looking at is to stop the user being able to access some .dat files in a subdirectory, is it possible to block access in the .htacess file to .dat?
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 7

Expert Comment

by:msifox
ID: 39172775
Problem with just putting them into a php file is that when the php interpreter doesn't run, the web server will show the php source instead of interpreting it.

You could configure your web server to use a different root directory and place the php files with passwords outside of this.

For example when I see that default root is /var/www, I setup /var/www/htdocs and declare this as root, then I create /var/www/php and put my php-files with passwords there. Other php files can include them with
   include '../php/passwords.php'
but the web server will refuse to deliver
   http://../php/password.php

Another option is to use htaccess to refuse access to anything that has a name that begins with a dot. Then you can do
   include '.passwords.php'
but the web server will not show it.
0
 
LVL 19

Expert Comment

by:darron_chapman
ID: 39172785
Try this in your .htaccess file

<Files ~ "\.dat$">
	Order allow,deny
	Deny from all
</Files>

Open in new window

0
 
LVL 82

Accepted Solution

by:
hielo earned 500 total points
ID: 39173003
To allow access only to files with specific extensions try:
Order Deny, Allow
Deny from all
Allow from 127.0.0.1

<FilesMatch "\.(?i:css|js|php|gif|png|jpg)$">
    Order Allow,Deny
    Allow from all
</FilesMatch>

Open in new window


To deny access only to files with specific extensions try:
Order Deny, Allow
Allow from all

<FilesMatch "\.(?i:inc|dat|ini|conf)$">
    Order Allow,Deny
   Deny from all
</FilesMatch>

Open in new window

0
 
LVL 26

Expert Comment

by:skullnobrains
ID: 39175559
- you seem to deny access on all files, but i guess you noticed already

- the simplest, safest, and best practice way is to start by sticking those files in a place that the web server user can use but that is not in the web server's root

then you may want to try

<Files *.inc>
    Order Deny,Allow
    Deny from all
</Files>

<Files *.php>
    Order Deny,Allow
    Allow from all
</Files>

<Files *.png>
    Order Deny,Allow
    Allow from all
</Files>


<Files *.swg>
    Order Deny,Allow
    Allow from all
</Files>

or rather

<Files *>
    Order Allow,Deny
    Allow from all
</Files>

<Files *.inc>
    Order Deny,Allow
    Deny from all
</Files>
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

In Solr 4.0 it is possible to atomically (or partially) update individual fields in a document. This article will show the operations possible for atomic updating as well as setting up your Solr instance to be able to perform the actions. One major …
If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now