Re: Open holes and hacked

From what I read about it, basically it lets the file types added to the handler load as cgi-script and at the same time not execute them.

Instead of executing the files it shows them as plain text in the browser.

I wonder what happens if a .php3 file is added to the upload directory. Does the script look at the file type or does it try to match the extension of the file (in which case .php3 would still be executed as php file with the above line).

Has someone tested this?

Re: Open holes and hacked
  • 2007/6/14 11:36

  • OldFriend

  • Just popping in

  • Posts: 99

  • Since: 2005/10/28

Order Deny,Allow
Deny from all
<FilesMatch "\.(gif|jpe?g|png)$">
Allow from all

I have this already in the .htaccess

Should I replace this with the
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI
or add it before or after the existing .htaccess?

Re: Open holes and hacked
  • 2007/6/14 11:45

  • Dave_L

  • XOOPS is my life!

  • Posts: 2277

  • Since: 2003/11/7

wtravel: Thanks. Someone earlier in this thread said he tested this and it worked.

But it only applies if the server is running Apache. Also, it requires that Apache be configured to allow the use of .htaccess files (AllowOverride); not all servers are configured that way.

Re: Open holes and hacked
  • 2007/6/14 19:32

  • xgarb

  • Not too shy to talk

  • Posts: 154

  • Since: 2003/3/30

my understanding is any file type in the list..

AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi

is assigned to CGI

and this bit

Options -ExecCGI

stops any CGI (and everything assigned) from executing.

It works for me as mentioned previously. Here's the link again for people who like reading.. http://www.askapache.com/htaccess/sec ... ess.html#show-source-code


Maybe there should be server specific versions of xoops.. ie a hardened version for Apache.. or maybe the installer could check server environment and adjust accordingly?

Re: Open holes and hacked
  • 2007/6/24 13:11

  • giba

  • Just can't stay away

  • Posts: 638

  • Since: 2003/4/26

Complements, sugestions by Claudia.

add in folder file .htaccess

Files ".(php|js)$">
Order deny,allow
        Deny from all

This will hinder direct that it executes archives php and js, for the URL, but it does not harm the functioning of xoops, therefore they can be called by others scripts.

Therefore normally, when hackers obtains to send archives for these folders, for some breach of security, later it needs to execute for the URL.

Isso impedir√° que execute arquivos php e js , direto pela url, mas n?o prejudica o funcionamento do xoops, pois eles podem ser chamados por outros scripts.

Pois normalmente, quando os hackers conseguem enviar arquivos para essas pastas, por alguma brecha de seguran?a, depois ele precisam executar pela url.



Lost Password? Register now!

Who's Online

75 user(s) are online (41 user(s) are browsing Support Forums)

Members: 0

Guests: 75



Goal: $100.00
Due Date: Jan 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits