xoops forums
Posted on: 2007/6/14 11:23
wtravel
wtravel (Show more)
Posts: 987
Since: 2003/8/27
#31

Re: Open holes and hacked

From what I read about it, basically it lets the file types added to the handler load as cgi-script and at the same time not execute them.

Instead of executing the files it shows them as plain text in the browser.

I wonder what happens if a .php3 file is added to the upload directory. Does the script look at the file type or does it try to match the extension of the file (in which case .php3 would still be executed as php file with the above line).

Has someone tested this?

OldFriend

Just popping in
Posted on: 2007/6/14 11:36
OldFriend
OldFriend (Show more)
Just popping in
Posts: 99
Since: 2005/10/28
#32

Re: Open holes and hacked

Quote:
Order Deny,Allow
Deny from all
<FilesMatch "\.(gif|jpe?g|png)$">
Allow from all
</FilesMatch>


I have this already in the .htaccess

Should I replace this with the
Quote:
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI
or add it before or after the existing .htaccess?

Dave_L

XOOPS is my life!
Posted on: 2007/6/14 11:45
Dave_L
Dave_L (Show more)
XOOPS is my life!
Posts: 2277
Since: 2003/11/7
#33

Re: Open holes and hacked

wtravel: Thanks. Someone earlier in this thread said he tested this and it worked.

But it only applies if the server is running Apache. Also, it requires that Apache be configured to allow the use of .htaccess files (AllowOverride); not all servers are configured that way.

xgarb

Not too shy to talk
Posted on: 2007/6/14 19:32
xgarb
xgarb (Show more)
Not too shy to talk
Posts: 154
Since: 2003/3/30
#34

Re: Open holes and hacked

my understanding is any file type in the list..

AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi

is assigned to CGI

and this bit

Options -ExecCGI

stops any CGI (and everything assigned) from executing.

It works for me as mentioned previously. Here's the link again for people who like reading.. http://www.askapache.com/htaccess/sec ... ess.html#show-source-code


Dave_L,

Maybe there should be server specific versions of xoops.. ie a hardened version for Apache.. or maybe the installer could check server environment and adjust accordingly?

giba

Just can't stay away
Posted on: 2007/6/24 13:11
giba
giba (Show more)
Just can't stay away
Posts: 638
Since: 2003/4/26
#35

Re: Open holes and hacked

Complements, sugestions by Claudia.

add in folder file .htaccess

[quote]
<
Files ".(php|js)$">
        
Order deny,allow
        Deny from all
</Files>
[/
quote]


This will hinder direct that it executes archives php and js, for the URL, but it does not harm the functioning of xoops, therefore they can be called by others scripts.

Therefore normally, when hackers obtains to send archives for these folders, for some breach of security, later it needs to execute for the URL.

[pt_br]
Isso impedir√° que execute arquivos php e js , direto pela url, mas n?o prejudica o funcionamento do xoops, pois eles podem ser chamados por outros scripts.

Pois normalmente, quando os hackers conseguem enviar arquivos para essas pastas, por alguma brecha de seguran?a, depois ele precisam executar pela url.
[/pt_br]