Apache Friends Support Forum

Hi.. I Have installed sussefully the Xampp In Win2K But I have some security poblems.
I had resolved the "problem"of the MySQL Pass, that many ppl had spoken on this Forum, by modyfing the phpadmin conf. file like was told. That part of security in now resolved.

But I have one more question, how can I prevent web users to browse other dir's like /xampp /images /fonts etc... Except the /Restricted (it's mod_auth_mysql.conf ON). Can´t be that configured to only local server users to browse those folders?

That's how clear I can describe this , and sorry the bad english

hi deepspace

serch ur httpd.conf for

# This should be changed to whatever you set DocumentRoot to.
#
<Directory "C:/xampp/htdocs">

#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI Multiviews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs-2.0/mod/core.html#options
# for more information.
#
Options Indexes FollowSymLinks MultiViews Includes ExecCGI

remove Indexes in the last line... if u configure more Directorys u can prevent the indexing by just leving it out under Options hope that helps u a little

greetz

to configure access to a folder so only local users can view it is possible in the definition of a mapped directory you can allow access to a certain ip address range (subnet) all the way down to a single ip. if you are running a internal network like 10.10.255.255 or 192.168.1.255 and are behind a router/ firewall this will pose no problem.

so here is the general idea:

<Directory /any_dir>

Order Deny,Allow
Deny from all
Allow from 192.168.1.*

</Directory>

that would go in your httpd.confg file.

Sorry to resurrect an old post, but I'm having the same problem as the original poster and the suggested changed to the httpd.conf file are not helping.

Basically this little php code right here:

Code: Select all

<?
$fn = "c:/xampp/apache/conf/httpd.conf";
print htmlspecialchars(implode("",file($fn)));
?>


Allows anyone to read and write to this file. in fact, you can replace c:/xampp with c:/windows or c:/documents and settings, etc etc and browse and write to any of those files.

Perhaps this is a php issue, not an apache issue. I just wanted to check in and see if someone could shed some light on this and help me lock down my server before I start allowing people to upload code.

Thanks!

well, after more research, seems this is mostly a php issue. I've used the open_basedir command to limit scripts to running just inside the htdocs folder. this at least protects my system files, but it doesn't prevent users from browsing each others directories.

if anyone has any suggestions on preventing that from happening with php, and of course perl or any other server side scripting, it'd be much appreciated.

Well the Apache Bible I have says:

Code: Select all

Disabling default access
A good security model dictates that no default access exists, so get into the habit
of permitting no access at first. Permit specific access only to specific directories.
To implement no default access, use the following configuration segment in
httpd.conf:

<Directory />
Order deny,allow
Deny from all
</Directory>

This disables all access first. Now, if you need to enable access to a particular
directory, use the <Directory . . .> container again to open that directory.
For example, if you want to permit access to /www/htdocs, add the following
configuration:

<Directory “/www/htdocs”>
Order deny,allow
Allow from all
</Directory>

This method—opening only what you need—is a preventive security measure
and is highly recommended. Also, do not allow users to change any directory-wide
configuration options using per-directory configuration file (.htaccess) in
directories that are open for access.

Is that what you mean ? Sorry I'm just starting out with Apache.

>

That's for standard html. But since php is typically run with the local_system account it has full access to the server and all it's folders.

But with the open_basedir setting, you can restrict script access to certain folders.

There's actually quite a bit of information out there on this, with people running into the same scenarios when running a shared server: "How do I prevent my users from seeing eachothers data?" It's just hard to get the right search terms in.

Probably for me the two biggest things I've discovered is that

1. you can set the open_basedir for each virtualhost in the httpd.conf file like so:

Code: Select all

<VirtualHost *:80>
    DocumentRoot "C:/xampp/htdocs/intranet"
    ServerName intranet.marion.com
    ServerAlias intranet
    ErrorLog "logs/intranet.log"
    CustomLog "logs/intranet.log" combined
    php_admin_value open_basedir "c:\xampp\htdocs\intranet;c:\xampp\htdocs\phpmyadmin;c:\xampp\php"
</VirtualHost>


I had to grant access to the phpmyadmin folder and the php folders for phpmyadmin to work...

and

2. disabling some dangerous functions in the php.ini file:

Code: Select all

disable_functions = "diskfreespace, apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode"


Diskfreespace() might not be that big a deal, but I felt it was.

I hope there are others out there that can find this helpful.

Okay, I thought you meant your users were simply chopping off the paths and creating new ones, based off their own folder logic
so they can peek in others. I had thought when you do that (say like http://localhost/test/joeblow) and enter that the browser
requests that directory, Apache looks for a index.html/.htm in that folder can't find one and then is either overridden by the
rules you establish or gives them the directory list.

But, like I said I'm pretty new to the web.

I did save your Explode trick though

>