 |
|
|
|
Next: SQL Error?
|
| Author |
Message |
External
Since: Mar 06, 2006
Posts: 2
|
(Msg. 1) Posted: Tue Dec 05, 2006 3:15 pm
Post subject: .htaccess prevents itself from being viewed but not "sess*" files in directory
Archived from groups: alt>www>webmaster, others (more info?)
|
|
|
<Directory />
Options -Indexes
</Directory>
<Files ~ "^\.ht">
order allow,deny
deny from all
</Files>
<Files ~ "^sess[a-zA-Z0-9\-_\.]*$">
order allow,deny
deny from all
</Files>
This is designed to prevent itself, all files beginning with "sess" and
the directory listing from being viewed.
Right now I get the expected 403 Forbidden if I try to view the
directory listing and if I try to view .htaccess itself via browser,
however, when I try to view any file beginning with "sess" it lets me
view it though it's not supposed to do so.
I tried every known regular expression pattern onto "sess" and all
failed to block. Is there something else I need to do to prevent
"sess" files from being blocked? They are PHP session files and I
don't really have any control over permission settings for these files
else I would not bother with .htaccess
Thanx
Phil |
|
| Back to top |
|
 | |
External
Since: Dec 08, 2006
Posts: 162
|
(Msg. 2) Posted: Wed Dec 06, 2006 2:41 am
Post subject: Re: .htaccess prevents itself from being viewed but not "sess*" files in directory [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
<phillip.s.powell.TakeThisOut@gmail.com> schreef in bericht
news:1165360511.201238.220110@l12g2000cwl.googlegroups.com...
> <Directory />
> Options -Indexes
> </Directory>
>
> <Files ~ "^\.ht">
> order allow,deny
> deny from all
> </Files>
Odd you have do set this yourself, should be in httpd.conf.
> <Files ~ "^sess[a-zA-Z0-9\-_\.]*$">
Try <Files ~ "^sess[a-zA-Z0-9\-_,]*$">
See 'session.hash_bits_per_character' at
http://www.php.net/manual/en/ref.session.php
> order allow,deny
> deny from all
> </Files>
> This is designed to prevent itself, all files beginning with "sess" and
> the directory listing from being viewed.
Your session.save_path in php.ini should be set _outside_ the document tree
HansH |
|
| Back to top |
|
| |
External
Since: Mar 07, 2006
Posts: 12
|
(Msg. 3) Posted: Wed Dec 06, 2006 7:38 am
Post subject: Re: .htaccess prevents itself from being viewed but not "sess*" files in directory [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
HansH wrote:
> <phillip.s.powell RemoveThis @gmail.com> schreef in bericht
> news:1165360511.201238.220110@l12g2000cwl.googlegroups.com...
> > <Directory />
> > Options -Indexes
> > </Directory>
> >
> > <Files ~ "^\.ht">
> > order allow,deny
> > deny from all
> > </Files>
> Odd you have do set this yourself, should be in httpd.conf.
That's assuming have permissions and access to httpd.conf, which I
don't 
>
> > <Files ~ "^sess[a-zA-Z0-9\-_\.]*$">
> Try <Files ~ "^sess[a-zA-Z0-9\-_,]*$">
> See 'session.hash_bits_per_character' at
> http://www.php.net/manual/en/ref.session.php
session.has_bits_per_character is a PHP 5+ addition to php.ini; I'm
using PHP 4.3.9, sorry.
I tried your pattern, but unfortunately that also failed to match and
the session file was easily viewable via browser, which obviously you
don't want
>
> > order allow,deny
> > deny from all
> > </Files>
>
> > This is designed to prevent itself, all files beginning with "sess" and
> > the directory listing from being viewed.
> Your session.save_path in php.ini should be set _outside_ the document tree
>
That would be assuming you have the rights to do so IAPW. However, I
am designing a portable web application that will be housed in a shared
hosting platform which does not allow for us to store sessions within
session.save_path (or for that matter, have any access outside of our
chroot - can you say "chroot jail"?), nor are we allowed to even change
any of the default php.ini values via ini_set() either (I tried that,
believe me). So that left me only with the option to store sessions
witihn our chroot (actually in one case, within the document root only
as that's as far back as we're allowed to go), and since they're
"open", I need to make sure the session file contents are not viewable.
> HansH >> Stay informed about: .htaccess prevents itself from being viewed but not "sess*.. |
|
| Back to top |
|
| |
External
Since: Jun 24, 2006
Posts: 31
|
(Msg. 4) Posted: Wed Dec 06, 2006 10:14 am
Post subject: Re: .htaccess prevents itself from being viewed but not "sess*" files in directory [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
phillip.s.powell.TakeThisOut@gmail.com wrote:
> HansH wrote:
> > <phillip.s.powell.TakeThisOut@gmail.com> schreef in bericht
> > news:1165360511.201238.220110@l12g2000cwl.googlegroups.com...
> > > <Directory />
> > > Options -Indexes
> > > </Directory>
> > >
> > > <Files ~ "^\.ht">
> > > order allow,deny
> > > deny from all
> > > </Files>
> > Odd you have do set this yourself, should be in httpd.conf.
>
> That's assuming have permissions and access to httpd.conf, which I
> don't
>
> >
> > > <Files ~ "^sess[a-zA-Z0-9\-_\.]*$">
> > Try <Files ~ "^sess[a-zA-Z0-9\-_,]*$">
> > See 'session.hash_bits_per_character' at
> > http://www.php.net/manual/en/ref.session.php
>
> session.has_bits_per_character is a PHP 5+ addition to php.ini; I'm
> using PHP 4.3.9, sorry.
>
> I tried your pattern, but unfortunately that also failed to match and
> the session file was easily viewable via browser, which obviously you
> don't want
>
> >
> > > order allow,deny
> > > deny from all
> > > </Files>
> >
> > > This is designed to prevent itself, all files beginning with "sess" and
> > > the directory listing from being viewed.
> > Your session.save_path in php.ini should be set _outside_ the document tree
> >
>
> That would be assuming you have the rights to do so IAPW. However, I
> am designing a portable web application that will be housed in a shared
> hosting platform which does not allow for us to store sessions within
> session.save_path (or for that matter, have any access outside of our
> chroot - can you say "chroot jail"?), nor are we allowed to even change
> any of the default php.ini values via ini_set() either (I tried that,
> believe me). So that left me only with the option to store sessions
> witihn our chroot (actually in one case, within the document root only
> as that's as far back as we're allowed to go), and since they're
> "open", I need to make sure the session file contents are not viewable.
>
>
> > HansH
/tmp should work even in your environement and should work in about 95%
linux flavored hosting. If it doesn't you might consider moving. You
might also run phpinfo.php and make sure your temp is at /tmp. Session
files are dangerous to have lying around anywhere, it is a major
security breach. >> Stay informed about: .htaccess prevents itself from being viewed but not "sess*.. |
|
| Back to top |
|
| |
External
Since: Mar 07, 2006
Posts: 12
|
(Msg. 5) Posted: Wed Dec 06, 2006 10:21 am
Post subject: Re: .htaccess prevents itself from being viewed but not "sess*" files in directory [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Concreteman wrote:
> phillip.s.powell.DeleteThis@gmail.com wrote:
> > HansH wrote:
> > > <phillip.s.powell.DeleteThis@gmail.com> schreef in bericht
> > > news:1165360511.201238.220110@l12g2000cwl.googlegroups.com...
> > > > <Directory />
> > > > Options -Indexes
> > > > </Directory>
> > > >
> > > > <Files ~ "^\.ht">
> > > > order allow,deny
> > > > deny from all
> > > > </Files>
> > > Odd you have do set this yourself, should be in httpd.conf.
> >
> > That's assuming have permissions and access to httpd.conf, which I
> > don't
> >
> > >
> > > > <Files ~ "^sess[a-zA-Z0-9\-_\.]*$">
> > > Try <Files ~ "^sess[a-zA-Z0-9\-_,]*$">
> > > See 'session.hash_bits_per_character' at
> > > http://www.php.net/manual/en/ref.session.php
> >
> > session.has_bits_per_character is a PHP 5+ addition to php.ini; I'm
> > using PHP 4.3.9, sorry.
> >
> > I tried your pattern, but unfortunately that also failed to match and
> > the session file was easily viewable via browser, which obviously you
> > don't want
> >
> > >
> > > > order allow,deny
> > > > deny from all
> > > > </Files>
> > >
> > > > This is designed to prevent itself, all files beginning with "sess" and
> > > > the directory listing from being viewed.
> > > Your session.save_path in php.ini should be set _outside_ the document tree
> > >
> >
> > That would be assuming you have the rights to do so IAPW. However, I
> > am designing a portable web application that will be housed in a shared
> > hosting platform which does not allow for us to store sessions within
> > session.save_path (or for that matter, have any access outside of our
> > chroot - can you say "chroot jail"?), nor are we allowed to even change
> > any of the default php.ini values via ini_set() either (I tried that,
> > believe me). So that left me only with the option to store sessions
> > witihn our chroot (actually in one case, within the document root only
> > as that's as far back as we're allowed to go), and since they're
> > "open", I need to make sure the session file contents are not viewable.
> >
> >
> > > HansH
>
> /tmp should work even in your environement and should work in about 95%
> linux flavored hosting. If it doesn't you might consider moving. You
> might also run phpinfo.php and make sure your temp is at /tmp. Session
> files are dangerous to have lying around anywhere, it is a major
> security breach.
Would you believe we're in the 5%? It's a "chroot jail", no access of
any kind is allowed outside of your chroot, not even to /tmp!
I agree about leaving session files lying around, but sadly I have no
choice unless the company decides to go with my suggestion on a
dedicated host instead of a shared host, until then I'm expected to
come up with a solution that is secure and functionable within the
shared host settings given to us >> Stay informed about: .htaccess prevents itself from being viewed but not "sess*.. |
|
| Back to top |
|
| |
External
Since: Mar 07, 2006
Posts: 12
|
(Msg. 6) Posted: Thu Dec 07, 2006 2:07 pm
Post subject: Re: .htaccess prevents itself from being viewed but not "sess*" files in directory [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
HansH wrote:
> <phillip.s.powell.RemoveThis@gmail.com> schreef in bericht
> news:1165360511.201238.220110@l12g2000cwl.googlegroups.com...
> > <Directory />
> > Options -Indexes
> > </Directory>
> >
> > <Files ~ "^\.ht">
> > order allow,deny
> > deny from all
> > </Files>
> Odd you have do set this yourself, should be in httpd.conf.
>
> > <Files ~ "^sess[a-zA-Z0-9\-_\.]*$">
> Try <Files ~ "^sess[a-zA-Z0-9\-_,]*$">
> See 'session.hash_bits_per_character' at
> http://www.php.net/manual/en/ref.session.php
>
> > order allow,deny
> > deny from all
> > </Files>
>
What I tried doing was this, out of desparation:
<Files>
order allow,deny
deny from all
</Files>
And even then all session files were still viewable. That's when I
concluded perhaps it is due to the nature of how PHP names its session
files (no PHP session file has any extension, just a name), and that's
perhaps why it is not even recognized, just perhaps, as a file in the
first place and thus, isn't filtered by the Files directive and remains
viewable in spite of the directory global restriction
Phil
> > This is designed to prevent itself, all files beginning with "sess" and
> > the directory listing from being viewed.
> Your session.save_path in php.ini should be set _outside_ the document tree
>
> HansH >> Stay informed about: .htaccess prevents itself from being viewed but not "sess*.. |
|
| Back to top |
|
| |
External
Since: Dec 08, 2006
Posts: 162
|
(Msg. 7) Posted: Fri Dec 08, 2006 2:00 am
Post subject: Re: .htaccess prevents itself from being viewed but not "sess*" files in directory [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
<phillip.s.powell.TakeThisOut@gmail.com> schreef in bericht
news:1165529250.835286.151950@l12g2000cwl.googlegroups.com...
> What I tried doing was this, out of desparation:
>
> <Files>
> order allow,deny
> deny from all
> </Files>
What files are to be denied without specifying a filename ??
Test for me
<Files ~ ".">
> And even then all session files were still viewable. That's when I
> concluded perhaps it is due to the nature of how PHP names its session
> files (no PHP session file has any extension, just a name),
Thinking name-dot-extention ... is a MicroSoft doctrine.
BTW your sess* files are at the document_root ...???
If not, try
<Location /<folder>/>
order allow,deny
deny from all
HansH
</Location> >> Stay informed about: .htaccess prevents itself from being viewed but not "sess*.. |
|
| Back to top |
|
| |
External
Since: Mar 07, 2006
Posts: 12
|
(Msg. 8) Posted: Fri Dec 08, 2006 8:23 am
Post subject: Re: .htaccess prevents itself from being viewed but not "sess*" files in directory [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
HansH wrote:
> <phillip.s.powell.RemoveThis@gmail.com> schreef in bericht
> news:1165529250.835286.151950@l12g2000cwl.googlegroups.com...
> > What I tried doing was this, out of desparation:
> >
> > <Files>
> > order allow,deny
> > deny from all
> > </Files>
> What files are to be denied without specifying a filename ??
> Test for me
> <Files ~ ".">
Sorry I tried that and the session files are still viewable via
browser:
<Files ~ ".">
order allow,deny
deny from all
</Files>
>
> > And even then all session files were still viewable. That's when I
> > concluded perhaps it is due to the nature of how PHP names its session
> > files (no PHP session file has any extension, just a name),
> Thinking name-dot-extention ... is a MicroSoft doctrine.
>
>
> BTW your sess* files are at the document_root ...???
> If not, try
> <Location /<folder>/>
> order allow,deny
> deny from all
>
Sorry that also failed; the session files are easily viewable via
browser
<Location /path/to/session/files>
order allow,deny
deny from all
</Location>
> HansH
> </Location> >> Stay informed about: .htaccess prevents itself from being viewed but not "sess*.. |
|
| Back to top |
|
| |
External
Since: Dec 08, 2006
Posts: 274
|
(Msg. 9) Posted: Fri Dec 08, 2006 9:01 am
Post subject: Re: .htaccess prevents itself from being viewed but not "sess*" files in directory [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
phillip.s.powell.TakeThisOut@gmail.com wrote:
> HansH wrote:
> > <phillip.s.powell.TakeThisOut@gmail.com> schreef in bericht
> > news:1165529250.835286.151950@l12g2000cwl.googlegroups.com...
> > > What I tried doing was this, out of desparation:
> > >
> > > <Files>
> > > order allow,deny
> > > deny from all
> > > </Files>
> > What files are to be denied without specifying a filename ??
> > Test for me
> > <Files ~ ".">
>
> Sorry I tried that and the session files are still viewable via
> browser:
>
> <Files ~ ".">
> order allow,deny
> deny from all
> </Files>
>
> >
> > > And even then all session files were still viewable. That's when I
> > > concluded perhaps it is due to the nature of how PHP names its session
> > > files (no PHP session file has any extension, just a name),
> > Thinking name-dot-extention ... is a MicroSoft doctrine.
> >
> >
> > BTW your sess* files are at the document_root ...???
> > If not, try
> > <Location /<folder>/>
> > order allow,deny
> > deny from all
> >
>
> Sorry that also failed; the session files are easily viewable via
> browser
>
> <Location /path/to/session/files>
> order allow,deny
> deny from all
> </Location>
>
>
> > HansH
> > </Location>
since were talking silly land solutions here for a silly setup, why not
just use a rewrite for all files
starting sess_ and ending with 32 chars
the rewrite could rewrite to a "dev/null" script.
why not use allow,deny and allow for localhost no one else.
or basic auth, for all but localhost.
i know it shouldnt be needed, but I only mention it cos everyones going
for the regular solutions and they arent working, meanwhile your users
are unprotected, and maybe your apps, and server! >> Stay informed about: .htaccess prevents itself from being viewed but not "sess*.. |
|
| Back to top |
|
| |
External
Since: Mar 07, 2006
Posts: 12
|
(Msg. 10) Posted: Fri Dec 08, 2006 2:57 pm
Post subject: Re: .htaccess prevents itself from being viewed but not "sess*" files in directory [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
HansH wrote:
> <phillip.s.powell.RemoveThis@gmail.com> schreef in bericht
> news:1165595006.771399.176320@l12g2000cwl.googlegroups.com...
> > <Location /path/to/session/files>
> If /path/to/session/files is a local path, use Directory
> The full path shown may very per ftp, http and php, depending on the extend
> of chroot-ing
>
> > order allow,deny
> > deny from all
> > </Location>
>
> Final attempt: put an index.html in the folder containing those pesky sess*
> files
Yeah <Directory /path/to/session/files> failed too, sorry, but the
session files are clearly visible.
I gave up and put in a blank index.html and will hope for the best.
Phil
>
> HansH >> Stay informed about: .htaccess prevents itself from being viewed but not "sess*.. |
|
| Back to top |
|
| |
External
Since: Dec 08, 2006
Posts: 162
|
(Msg. 11) Posted: Fri Dec 08, 2006 7:13 pm
Post subject: Re: .htaccess prevents itself from being viewed but not "sess*" files in directory [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
<phillip.s.powell.DeleteThis@gmail.com> schreef in bericht
news:1165595006.771399.176320@l12g2000cwl.googlegroups.com...
> <Location /path/to/session/files>
If /path/to/session/files is a local path, use Directory
The full path shown may very per ftp, http and php, depending on the extend
of chroot-ing
> order allow,deny
> deny from all
> </Location>
Final attempt: put an index.html in the folder containing those pesky sess*
files
HansH >> Stay informed about: .htaccess prevents itself from being viewed but not "sess*.. |
|
| Back to top |
|
| |
| Related Topics: | cPanel prevents hotlinking? - I have an opportunity to move to a dedicated server running cPanel. Problem is I'm not familiar with it, and while I can learn quickly, I do have a question - is it true that cPanel has some sort of option that you can turn on/off that prevents..
Personal Information viewed by checking Whois search? - I am thinking about setting up my own personal site....domain registration and web hosting.. When you sign up tho, you are required to give an address and such. So my question is, when one signs up for domain name and/or hosting. Can anyone look this....
Help with .htaccess and 404. - Hi, In my .htaccess I have ErrorDocument 404 /Error404php.php And it works fine, but how do I know what page the user was looking for and was not found? lately my logs show 100's of 404, (a lot more than usual), so I suspect it is my fault but without...
.htaccess help - Hi, I want to redirect any access to image files on my website to a corresponding php file. For example, any request from external site to the file http://myhost.com/myimage.jpg will be redirected to the file http://myhost/view.php?file=myimage.jpg. How...
htaccess help - Hi huys I usually design my sites using absolute paths. But then I have problems when I want to show my work to a client, and I upload everything to a secondary directory, ie: /temp1/ I know I can prevent all the linking mess using a htaccess file .. I.... |
|
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
|
|
|
FAQ
Profile
Private Messages
Log in
