Re: Doubt about disabling access to PHP files

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Leandro Silva wrote:

Hi,

In the company where I work, we have a windows server with apache/php
instaled with a shared folder in our network. The workers of company can put
any file on this folder to be visible at the internet through the http
protocol. We are having a problem because they can put PHP files on this
folder and these files are executed by the CGI/PHP.

I can not desinstall the PHP because I have other files at specific URLs
wich have to be executed by the CGI/PHP.

Anyone knows how to deny access to PHP pages at only one folder?

We have a Windows Server 2003 with Apache/2.0.63 and PHP 5.1.4.


Hi.
I am not a PHP specialist, and probably nobody here is because this is an Apache forum, not a PHP one. This is just to tell you that you may receive better information on a PHP-specific forum, not here. 
This may be a better place : http://www.php.net/support.php

But I will try.
By default, Apache does not "execute" PHP files, nor tell some PHP run-time to execute them. The standard Apache installation does not even contain a PHP interpreter.
So, someone added a PHP module to Apache, and also added some specific PHP configuration instructions in your Apache configuration file. That was done after the initial Apache installation, because (see previous paragraph).
Probably, these PHP-specific instructions in httpd.conf (or Apache.conf), look something like 
<Files *.php>
  .. run them with PHP
</Files>
That means that whenever, anywhere, Apache will find a file ending in .php, it will ask the PHP module to run it. 
That is the culprit.

You can change that in two ways :
1) remove the above, and replace it by separate instructions that tell Apache specifically in which directories it is OK to run .php files with the PHP module. (And do /not/ configure your network drop-down directory that way). Then, when Apache does find a .php file in any directory that is not specifically configured that way, it will just treat is as a text file, and send it "as is". 

OR
2) for your network directory, specifically forbid files ending in .php from being served at all by Apache. That would be, I think, something like 
<Directory xxxx>
  <Files *.php>
    Order Allow,Deny
    Deny from all
  </Files>
</Directory>
That would have the effect that whenever someone tries to request a .php file from that specific directory via a URL, they will get an Apache 404 Error (Forbidden).
I would recommend (1) over (2), because with (2) it is still possible for someone to put a .php file somewhere else to which you are not thinking right now, and have it executed. 




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux