.htaccess prevents itself from being viewed but not "sess*" files in directory
This is a discussion on .htaccess prevents itself from being viewed but not "sess*" files in directory within the Apache Web Server forums, part of the Web Server and Related Forums category; <Directory /> Options -Indexes </Directory> <Files ~ "^\.ht"> order allow,deny deny from all &...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
12-05-2006
|
|||
|
|||
.htaccess prevents itself from being viewed but not "sess*" files in directory
<Directory /> Options -Indexes </Directory> <Files ~ "^\.ht"> order allow,deny deny from all </Files> <Files ~ "^sess[a-zA-Z0-9\-_\.]*$"> order allow,deny deny from all </Files> This is designed to prevent itself, all files beginning with "sess" and the directory listing from being viewed. Right now I get the expected 403 Forbidden if I try to view the directory listing and if I try to view .htaccess itself via browser, however, when I try to view any file beginning with "sess" it lets me view it though it's not supposed to do so. I tried every known regular expression pattern onto "sess" and all failed to block. Is there something else I need to do to prevent "sess" files from being blocked? They are PHP session files and I don't really have any control over permission settings for these files else I would not bother with .htaccess Thanx Phil |
|
12-06-2006
|
|||
|
|||
|
Re: .htaccess prevents itself from being viewed but not "sess*" files in directory
phillip.s.powell@gmail.com wrote in news:1165360511.201238.220110
@l12g2000cwl.googlegroups.com: > > <Directory /> > Options -Indexes > </Directory> > > <Files ~ "^\.ht"> > order allow,deny > deny from all > </Files> > > <Files ~ "^sess[a-zA-Z0-9\-_\.]*$"> > order allow,deny > deny from all > </Files> > > > This is designed to prevent itself, all files beginning with "sess" and > the directory listing from being viewed. > > Right now I get the expected 403 Forbidden if I try to view the > directory listing and if I try to view .htaccess itself via browser, > however, when I try to view any file beginning with "sess" it lets me > view it though it's not supposed to do so. > > I tried every known regular expression pattern onto "sess" and all > failed to block. Is there something else I need to do to prevent > "sess" files from being blocked? They are PHP session files and I > don't really have any control over permission settings for these files > else I would not bother with .htaccess > > Thanx > Phil > > I would think your <files....> directives need to be inside of your <Directory> containers. Are they? Like.... <Directory /> Options -Indexes <Files ~ "^\.ht"> order allow,deny deny from all </Files> <Files ~ "^sess[a-zA-Z0-9\-_\.]*$"> order allow,deny deny from all </Files> </Directory> ----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==---- http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups ----= East and West-Coast Server Farms - Total Privacy via Encryption =---- |
|
12-06-2006
|
|||
|
|||
|
Re: .htaccess prevents itself from being viewed but not "sess*" files in directory
<phillip.s.powell@gmail.com> schreef in bericht
news:1165360511.201238.220110@l12g2000cwl.googlegr oups.com... > <Directory /> > Options -Indexes > </Directory> > > <Files ~ "^\.ht"> > order allow,deny > deny from all > </Files> Odd you have do set this yourself, should be in httpd.conf. > <Files ~ "^sess[a-zA-Z0-9\-_\.]*$"> Try <Files ~ "^sess[a-zA-Z0-9\-_,]*$"> See 'session.hash_bits_per_character' at http://www.php.net/manual/en/ref.session.php > order allow,deny > deny from all > </Files> > This is designed to prevent itself, all files beginning with "sess" and > the directory listing from being viewed. Your session.save_path in php.ini should be set _outside_ the document tree HansH |
|
12-06-2006
|
|||
|
|||
|
Re: .htaccess prevents itself from being viewed but not "sess*" files in directory
HansH wrote: > <phillip.s.powell@gmail.com> schreef in bericht > news:1165360511.201238.220110@l12g2000cwl.googlegr oups.com... > > <Directory /> > > Options -Indexes > > </Directory> > > > > <Files ~ "^\.ht"> > > order allow,deny > > deny from all > > </Files> > Odd you have do set this yourself, should be in httpd.conf. That's assuming have permissions and access to httpd.conf, which I don't :( > > > <Files ~ "^sess[a-zA-Z0-9\-_\.]*$"> > Try <Files ~ "^sess[a-zA-Z0-9\-_,]*$"> > See 'session.hash_bits_per_character' at > http://www.php.net/manual/en/ref.session.php session.has_bits_per_character is a PHP 5+ addition to php.ini; I'm using PHP 4.3.9, sorry. I tried your pattern, but unfortunately that also failed to match and the session file was easily viewable via browser, which obviously you don't want > > > order allow,deny > > deny from all > > </Files> > > > This is designed to prevent itself, all files beginning with "sess" and > > the directory listing from being viewed. > Your session.save_path in php.ini should be set _outside_ the document tree > That would be assuming you have the rights to do so IAPW. However, I am designing a portable web application that will be housed in a shared hosting platform which does not allow for us to store sessions within session.save_path (or for that matter, have any access outside of our chroot - can you say "chroot jail"?), nor are we allowed to even change any of the default php.ini values via ini_set() either (I tried that, believe me). So that left me only with the option to store sessions witihn our chroot (actually in one case, within the document root only as that's as far back as we're allowed to go), and since they're "open", I need to make sure the session file contents are not viewable. > HansH |
|
12-06-2006
|
|||
|
|||
|
Re: .htaccess prevents itself from being viewed but not "sess*" files in directory
phillip.s.powell@gmail.com wrote: > HansH wrote: > > <phillip.s.powell@gmail.com> schreef in bericht > > news:1165360511.201238.220110@l12g2000cwl.googlegr oups.com... > > > <Directory /> > > > Options -Indexes > > > </Directory> > > > > > > <Files ~ "^\.ht"> > > > order allow,deny > > > deny from all > > > </Files> > > Odd you have do set this yourself, should be in httpd.conf. > > That's assuming have permissions and access to httpd.conf, which I > don't :( > > > > > > <Files ~ "^sess[a-zA-Z0-9\-_\.]*$"> > > Try <Files ~ "^sess[a-zA-Z0-9\-_,]*$"> > > See 'session.hash_bits_per_character' at > > http://www.php.net/manual/en/ref.session.php > > session.has_bits_per_character is a PHP 5+ addition to php.ini; I'm > using PHP 4.3.9, sorry. > > I tried your pattern, but unfortunately that also failed to match and > the session file was easily viewable via browser, which obviously you > don't want > > > > > > order allow,deny > > > deny from all > > > </Files> > > > > > This is designed to prevent itself, all files beginning with "sess" and > > > the directory listing from being viewed. > > Your session.save_path in php.ini should be set _outside_ the document tree > > > > That would be assuming you have the rights to do so IAPW. However, I > am designing a portable web application that will be housed in a shared > hosting platform which does not allow for us to store sessions within > session.save_path (or for that matter, have any access outside of our > chroot - can you say "chroot jail"?), nor are we allowed to even change > any of the default php.ini values via ini_set() either (I tried that, > believe me). So that left me only with the option to store sessions > witihn our chroot (actually in one case, within the document root only > as that's as far back as we're allowed to go), and since they're > "open", I need to make sure the session file contents are not viewable. > > > > HansH /tmp should work even in your environement and should work in about 95% linux flavored hosting. If it doesn't you might consider moving. You might also run phpinfo.php and make sure your temp is at /tmp. Session files are dangerous to have lying around anywhere, it is a major security breach. |
|
12-06-2006
|
|||
|
|||
|
Re: .htaccess prevents itself from being viewed but not "sess*" files in directory
Concreteman wrote: > phillip.s.powell@gmail.com wrote: > > HansH wrote: > > > <phillip.s.powell@gmail.com> schreef in bericht > > > news:1165360511.201238.220110@l12g2000cwl.googlegr oups.com... > > > > <Directory /> > > > > Options -Indexes > > > > </Directory> > > > > > > > > <Files ~ "^\.ht"> > > > > order allow,deny > > > > deny from all > > > > </Files> > > > Odd you have do set this yourself, should be in httpd.conf. > > > > That's assuming have permissions and access to httpd.conf, which I > > don't :( > > > > > > > > > <Files ~ "^sess[a-zA-Z0-9\-_\.]*$"> > > > Try <Files ~ "^sess[a-zA-Z0-9\-_,]*$"> > > > See 'session.hash_bits_per_character' at > > > http://www.php.net/manual/en/ref.session.php > > > > session.has_bits_per_character is a PHP 5+ addition to php.ini; I'm > > using PHP 4.3.9, sorry. > > > > I tried your pattern, but unfortunately that also failed to match and > > the session file was easily viewable via browser, which obviously you > > don't want > > > > > > > > > order allow,deny > > > > deny from all > > > > </Files> > > > > > > > This is designed to prevent itself, all files beginning with "sess" and > > > > the directory listing from being viewed. > > > Your session.save_path in php.ini should be set _outside_ the document tree > > > > > > > That would be assuming you have the rights to do so IAPW. However, I > > am designing a portable web application that will be housed in a shared > > hosting platform which does not allow for us to store sessions within > > session.save_path (or for that matter, have any access outside of our > > chroot - can you say "chroot jail"?), nor are we allowed to even change > > any of the default php.ini values via ini_set() either (I tried that, > > believe me). So that left me only with the option to store sessions > > witihn our chroot (actually in one case, within the document root only > > as that's as far back as we're allowed to go), and since they're > > "open", I need to make sure the session file contents are not viewable. > > > > > > > HansH > > /tmp should work even in your environement and should work in about 95% > linux flavored hosting. If it doesn't you might consider moving. You > might also run phpinfo.php and make sure your temp is at /tmp. Session > files are dangerous to have lying around anywhere, it is a major > security breach. Would you believe we're in the 5%? It's a "chroot jail", no access of any kind is allowed outside of your chroot, not even to /tmp! I agree about leaving session files lying around, but sadly I have no choice unless the company decides to go with my suggestion on a dedicated host instead of a shared host, until then I'm expected to come up with a solution that is secure and functionable within the shared host settings given to us |
|
12-06-2006
|
|||
|
|||
|
Re: .htaccess prevents itself from being viewed but not "sess*" files in directory
"Davide Bianchi" <davideyeahsure@onlyforfun.net> schreef in bericht
news:slrnendpah.3br.davideyeahsure@fogg.onlyforfun .net... > On 2006-12-06, phillip.s.powell@gmail.com <phillip.s.powell@gmail.com> > wrote: >>> > </Files> >>> Odd you have do set this yourself, should be in httpd.conf. >> That's assuming have permissions and access to httpd.conf, which I >> don't :( > I think that what Hans meant is "strange that you have to add this, > since the stock httpd.conf already contains such thing". "Find yourself a real hoster" was a bit too blund, considering the chance OP was self-hosting... >> That would be assuming you have the rights to do so IAPW. However, I >> am designing a portable web application that will be housed in a shared >> hosting platform ... Since defaults of Apache and PHP vary per version and distribution -Debian, SUSE, RedHat etc, and are often modified per hoster. Some hosters do not allow use of .htaccess, some only allow limited use -eg without rewrites-. Your appliation's portability CAN NOT rely on any default -declared by whom!- setting. DO NOT put your trust on .htacces to set or adjust anything !! >> ... which does not allow for us to store sessions within >> session.save_path (or for that matter, have any access outside of our >> chroot - can you say "chroot jail"?) I'ld say a hoster giving you PHP with session support SHOULD have made arrangements for such an off site folder even in jail. Should not be more than setting 'session.save_path = /sessions' and create that folder just inside the jail ... ( Never tried though) ISMW the jail should have its root one folder above the document root and containt /logs/ and /sessions/ too. "Find yourself a real hoster" becomes more appropriate ... HansH |
|
12-07-2006
|
|||
|
|||
|
Re: .htaccess prevents itself from being viewed but not "sess*" files in directory
HansH wrote:
> <phillip.s.powell@gmail.com> schreef in bericht > news:1165360511.201238.220110@l12g2000cwl.googlegr oups.com... > > <Directory /> > > Options -Indexes > > </Directory> > > > > <Files ~ "^\.ht"> > > order allow,deny > > deny from all > > </Files> > Odd you have do set this yourself, should be in httpd.conf. > > > <Files ~ "^sess[a-zA-Z0-9\-_\.]*$"> > Try <Files ~ "^sess[a-zA-Z0-9\-_,]*$"> > See 'session.hash_bits_per_character' at > http://www.php.net/manual/en/ref.session.php > > > order allow,deny > > deny from all > > </Files> > What I tried doing was this, out of desparation: <Files> order allow,deny deny from all </Files> And even then all session files were still viewable. That's when I concluded perhaps it is due to the nature of how PHP names its session files (no PHP session file has any extension, just a name), and that's perhaps why it is not even recognized, just perhaps, as a file in the first place and thus, isn't filtered by the Files directive and remains viewable in spite of the directory global restriction Phil > > This is designed to prevent itself, all files beginning with "sess" and > > the directory listing from being viewed. > Your session.save_path in php.ini should be set _outside_ the document tree > > HansH |
|
12-08-2006
|
|||
|
|||
|
Re: .htaccess prevents itself from being viewed but not "sess*" files in directory
<phillip.s.powell@gmail.com> schreef in bericht
news:1165529250.835286.151950@l12g2000cwl.googlegr oups.com... > What I tried doing was this, out of desparation: > > <Files> > order allow,deny > deny from all > </Files> What files are to be denied without specifying a filename ?? Test for me <Files ~ "."> > And even then all session files were still viewable. That's when I > concluded perhaps it is due to the nature of how PHP names its session > files (no PHP session file has any extension, just a name), Thinking name-dot-extention ... is a MicroSoft doctrine. BTW your sess* files are at the document_root ...??? If not, try <Location /<folder>/> order allow,deny deny from all HansH </Location> |
|
12-08-2006
|
|||
|
|||
|
Re: .htaccess prevents itself from being viewed but not "sess*" files in directory
HansH wrote: > <phillip.s.powell@gmail.com> schreef in bericht > news:1165529250.835286.151950@l12g2000cwl.googlegr oups.com... > > What I tried doing was this, out of desparation: > > > > <Files> > > order allow,deny > > deny from all > > </Files> > What files are to be denied without specifying a filename ?? > Test for me > <Files ~ "."> Sorry I tried that and the session files are still viewable via browser: <Files ~ "."> order allow,deny deny from all </Files> > > > And even then all session files were still viewable. That's when I > > concluded perhaps it is due to the nature of how PHP names its session > > files (no PHP session file has any extension, just a name), > Thinking name-dot-extention ... is a MicroSoft doctrine. > > > BTW your sess* files are at the document_root ...??? > If not, try > <Location /<folder>/> > order allow,deny > deny from all > Sorry that also failed; the session files are easily viewable via browser :( <Location /path/to/session/files> order allow,deny deny from all </Location> > HansH > </Location> |
Linear Mode
