Welcome to WebmasterWorld Guest from 54.227.1.130

Forum Moderators: Ocean10000 & incrediBILL & phranque

Message Too Old, No Replies

Blocking additional .htaccess in sub-directories

     

adrianTNT

5:56 pm on Aug 12, 2010 (gmt 0)

5+ Year Member



I have a main .htaccess in my site root and I have a folder e.g /user_uploads/01, /user_uploads/02, etc where I want to block additional .htaccess from being processed.
Can I do this from my main htaccess in site root?

jdMorgan

6:08 pm on Aug 12, 2010 (gmt 0)

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member



No. You can stop mod_rewrite in those subdirectory .htaccess files from being processed, but this control is not available for other modules.

If you only need to stop mod_rewrite execution, see the mod_rewrite "RewriteOptions" directive and turn off "inherit".

Jim

adrianTNT

6:48 pm on Aug 12, 2010 (gmt 0)

5+ Year Member



Maybe I asked this the wrong way.
Actually I am trying to block scripts to run in the user uploads area (by redirecting any .php, .asp, etc to site root), but I found that if user uploads another .htaccess then it is allowed to overwrite my scripts redirect that I had in main .htaccess.

So asking it differently now:
What directives can I use in main .htaccess file in order to prevent all scripts to run in user uploads folders like /user_uploads/01, /user_uploads/02, etc ?

Thanks.

jdMorgan

10:44 pm on Aug 12, 2010 (gmt 0)

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member



.htaccess is not a script.

You need to prevent all of these filetypes from being uploaded by modifying the "uploader" script to forbid the use of any but the filenames/filetypes that your are willing to allow.

Also set the file permissions so that the files in the upload directory are not executable.

You need a *very good* "uploader" script if you want to prevent your server from being hacked within a few hours...

Jim

adrianTNT

11:38 pm on Aug 12, 2010 (gmt 0)

5+ Year Member



Renaming files was what I used until now, but I thought there must be some more elegant, more direct way than just brush all files each time a user uploads or edits the current files.

For now I am renaming the files with extensions: htaccess,asp,cgi,jsp,php,php3,php4,php5,php6 , do you think this should be safe enough ?
mail.php would become mail.php_safe

If not, I would also try editing the file permission codes but I do not think that works well, in case I move files on another server I permission code might change and expose files. And I want to display other extensions to users, like index.html files, images, etc.
Would this renaming be ok?

encyclo

12:02 am on Aug 13, 2010 (gmt 0)

WebmasterWorld Senior Member encyclo is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Don't allow uploading into your site root would be a better approach IMO. You could create a subdomain eg. users.example.com, as a VirtualHost with an entirely separate document root, use RemoveHandler etc. to disable the parsing of PHP and other such files, and use
AllowOverride none
to disallow .htaccess files - in short, lock it down as much as possible.

[httpd.apache.org...]
 

Featured Threads

Hot Threads This Week

Hot Threads This Month