.htaccess and "deny all"

Forum Moderators: phranque

Message Too Old, No Replies

.htaccess and "deny all"

Is this "bullet-proof"

genesisone

8:12 am on Jan 18, 2005 (gmt 0)

I've been examining the code in a CGI-based discussion board system and have found that several internal directories that store posted messages, user data, etc. have .htaccess files in them that contain this simple text and nothing more:

deny all

Obviously the scripts associated with this discussion board can still access the contents of those directories and write to them, but how secure does deny all actually make them against outside access attempts?

jdMorgan

2:13 pm on Jan 18, 2005 (gmt 0)

It secures the files against access by unauthorized users using the HTTP protocol and your Apache server.

It does not secure them against personnel at the server site, or users accessing the server using any non-HTTP access method such as FTP.

Jim

genesisone

5:53 pm on Jan 18, 2005 (gmt 0)

My Web host states that "anonymous ftp is disabled on all servers." Would that mean, then, that files in this .htaccess protected directory would be secure unless someone hacked my user name and password, or unless an unscrupulous employee of my Web host decided to raid my account?

jdMorgan

6:06 pm on Jan 18, 2005 (gmt 0)

Yes, or unless someone used Telnet or another non-HTTP service to get in.

Jim

genesisone

7:27 pm on Jan 18, 2005 (gmt 0)

Many thanks for the info. You've been very helpful!

valder

1:42 am on Jan 19, 2005 (gmt 0)

Comment for newbies: (in case someone searched for "bullet-proof .htaccess", then stumbled upon this, and thinks that it will take care of web security for them :)

Don't believe "deny all" will deny all access to files. It will not, for instance, deny PHP or any other server-side programs access to those files.

I think this has already been suggested by Jim, but I'll say it out loud and in clear text:
"deny all" does not mean securing your server! :)

-Eivind