31
wtravel
Re: Open holes and hacked

From what I read about it, basically it lets the file types added to the handler load as cgi-script and at the same time not execute them.

Instead of executing the files it shows them as plain text in the browser.

I wonder what happens if a .php3 file is added to the upload directory. Does the script look at the file type or does it try to match the extension of the file (in which case .php3 would still be executed as php file with the above line).

Has someone tested this?

32
OldFriend
Re: Open holes and hacked
  • 2007/6/14 11:36

  • OldFriend

  • Just popping in

  • Posts: 99

  • Since: 2005/10/28


Quote:
Order Deny,Allow
Deny from all

Allow from all


I have this already in the .htaccess

Should I replace this with the
Quote:
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI
or add it before or after the existing .htaccess?

33
Dave_L
Re: Open holes and hacked
  • 2007/6/14 11:45

  • Dave_L

  • XOOPS is my life!

  • Posts: 2277

  • Since: 2003/11/7


wtravel: Thanks. Someone earlier in this thread said he tested this and it worked.

But it only applies if the server is running Apache. Also, it requires that Apache be configured to allow the use of .htaccess files (AllowOverride); not all servers are configured that way.

34
xgarb
Re: Open holes and hacked
  • 2007/6/14 19:32

  • xgarb

  • Not too shy to talk

  • Posts: 154

  • Since: 2003/3/30


my understanding is any file type in the list..

AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi

is assigned to CGI

and this bit

Options -ExecCGI

stops any CGI (and everything assigned) from executing.

It works for me as mentioned previously. Here's the link again for people who like reading.. http://www.askapache.com/htaccess/security-with-apache-htaccess.html#show-source-code


Dave_L,

Maybe there should be server specific versions of xoops.. ie a hardened version for Apache.. or maybe the installer could check server environment and adjust accordingly?

35
giba
Re: Open holes and hacked
  • 2007/6/24 13:11

  • giba

  • Just can't stay away

  • Posts: 638

  • Since: 2003/4/26


Complements, sugestions by Claudia.

add in folder file .htaccess

[quote]
<
Files ".(php|js)$">
        
Order deny,allow
        Deny from all
Files>
[/
quote]


This will hinder direct that it executes archives php and js, for the URL, but it does not harm the functioning of xoops, therefore they can be called by others scripts.

Therefore normally, when hackers obtains to send archives for these folders, for some breach of security, later it needs to execute for the URL.

[pt_br]
Isso impedirá que execute arquivos php e js , direto pela url, mas n?o prejudica o funcionamento do xoops, pois eles podem ser chamados por outros scripts.

Pois normalmente, quando os hackers conseguem enviar arquivos para essas pastas, por alguma brecha de seguran?a, depois ele precisam executar pela url.
[/pt_br]

Login

Who's Online

455 user(s) are online (361 user(s) are browsing Support Forums)


Members: 0


Guests: 455


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits