Secure directory and php

Problems with the Windows version of XAMPP, questions, comments, and anything related.

Secure directory and php

Postby JonNielsen » 25. November 2008 18:04

Hello guys,

I got a website, where users can upload their files. - Not a problem.

But once user1 uploads afile.jpg. A "hacker" can simply type: www.mysite.com/user1/afile.jpg - and access the file.

So, what's the simple solution here?

I'm not sure I'm posting the right place, but since I'm running it on an apache server (XAMPP), i thought you could help me.

If anyone has any simple solutions, I give ya über props.
JonNielsen
 
Posts: 19
Joined: 13. November 2008 06:09

Postby glitzi85 » 25. November 2008 18:53

Simple Solution? Put a .htaccess file inside this folder and switch on password authentication: http://httpd.apache.org/docs/2.2/howto/htaccess.html

glitzi
User avatar
glitzi85
 
Posts: 1920
Joined: 05. March 2004 23:26
Location: Dahoim

Postby JonNielsen » 25. November 2008 18:57

Hey glizi85 :)

Thanks for reply.

I've already read the "howto" you posted, but can't seem to find the right solution.

I've created a test-directory, and thrown in a htaccess. But aint locked it up.

And now i probably broke it, since my /forbidden-directory stopped being private :D
JonNielsen
 
Posts: 19
Joined: 13. November 2008 06:09

Postby glitzi85 » 25. November 2008 19:23

OK, please tell exactly what file you created (and how!), what you put inside and where you exactly put it. Where is your forbidden-Directory located?

How is your Apache configured? Did you any changes to the original httpd.conf or another configuration file of the Apache?

glitzi
User avatar
glitzi85
 
Posts: 1920
Joined: 05. March 2004 23:26
Location: Dahoim

Postby JonNielsen » 25. November 2008 19:28

glitzi85 wrote:OK, please tell exactly what file you created (and how!), what you put inside and where you exactly put it. Where is your forbidden-Directory located?

How is your Apache configured? Did you any changes to the original httpd.conf or another configuration file of the Apache?

glitzi


I've been playing around with the httpd.conf - there might be something changed in there now ;).

Apart from that, it's a fresh XAMPP install - runs perfectly.

My forbidden directory is called:
C:\xampp\htdocs\forbidden

And inside, it was 3x files:
.htaccess
AuthType Basic
AuthName "FORBIDDEN AREA"
AuthUserfile "../htdocs/forbidden/.htpasswd"
Require valid-user

.htpasswd
user:pass

and 1.txt (test file to see if it's auth-dir)
"asd"
JonNielsen
 
Posts: 19
Joined: 13. November 2008 06:09

Postby glitzi85 » 25. November 2008 20:01

The AuthUserfile is not correct. It have to be the absolute Server Path. I am not sure if relative paths are allowed, here you can try both.

Absolute: AuthUserfile "/xampp/htdocs/forbidden/.htpasswd"
Relative: AuthUserfile "./.htpasswd"

glitzi
User avatar
glitzi85
 
Posts: 1920
Joined: 05. March 2004 23:26
Location: Dahoim

Postby JonNielsen » 25. November 2008 20:05

glitzi85 wrote:The AuthUserfile is not correct. It have to be the absolute Server Path. I am not sure if relative paths are allowed, here you can try both.

Absolute: AuthUserfile "/xampp/htdocs/forbidden/.htpasswd"
Relative: AuthUserfile "./.htpasswd"

glitzi


Tried both.
Didn't work.

I have no idea why. Even rebooted the apache.

Might have something to do with the httpd.conf file?
JonNielsen
 
Posts: 19
Joined: 13. November 2008 06:09

Postby glitzi85 » 25. November 2008 20:24

JonNielsen wrote:Tried both.
Didn't work.

What do you mean with didn't work? Did you get an error message?

Open httpd.conf and look for this area:

Code: Select all
<Directory "C:/xampp/htdocs">
    #
    # Possible values for the Options directive are "None", "All",
    # or any combination of:
    #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
    #
    # Note that "MultiViews" must be named *explicitly* --- "Options All"
    # doesn't give it to you.
    #
    # The Options directive is both complicated and important.  Please see
    # http://httpd.apache.org/docs/2.2/mod/core.html#options
    # for more information.
    #
    Options -Indexes FollowSymLinks Includes ExecCGI
   
    #
    # AllowOverride controls what directives may be placed in .htaccess files.
    # It can be "All", "None", or any combination of the keywords:
    #   Options FileInfo AuthConfig Limit
    #
    AllowOverride All

    #
    # Controls who can get stuff from this server.
    #
    Order allow,deny
    Allow from all

</Directory>


Inside this block it may look different on your Computer. The important thing is the AllowOverride-Directive. Change it to AllowOverride All, then restart your Apache.

Dont forget to clear your Browser cache, otherwise the .htaccess may not work.

glitzi
User avatar
glitzi85
 
Posts: 1920
Joined: 05. March 2004 23:26
Location: Dahoim

Postby JonNielsen » 25. November 2008 20:28

Okay i did as you told.

With this, line:
AuthUserfile "/xampp/htdocs/forbidden/.htpasswd"

.. i get nothing, the dir is still open, no pass/user needed.

With:
AuthUserfile "./.htpasswd"

.. i get a server 500 error.
JonNielsen
 
Posts: 19
Joined: 13. November 2008 06:09

Postby Sharley » 25. November 2008 20:32

Did you generate a .htpasswd file or did you just add a user/pass combination?

here are a couple of ways to generate a .htpasswd file:

Open a command console in C:\xampp\apache\bin
At the command prompt type htpasswd.exe
Follow the instructions especially the part about Windows and the m switch.


Easier if you like is to use an online Generator and here is but one of many:
http://www.webmaster-toolkit.com/htacce ... ator.shtml

When you have a valid .htpasswd file just replace your own and follow the paths Glitz outlined - but I did read that a full path including the drive letter should be used.
C:/xampp/htdocs/forbidden/.htpasswd
User avatar
Sharley
AF Moderator
 
Posts: 3316
Joined: 03. October 2008 05:10
Location: Yeppoon, Australia Time Zone: GMT/UTC+10
Operating System: Win 7 Pro 32bit/XP Pro SP3

Postby JonNielsen » 25. November 2008 20:36

Sharley wrote:Did you generate a .htpasswd file or did you just add a user/pass combination?

here are a couple of ways to generate a .htpasswd file:

Open a command console in C:\xampp\apache\bin
At the command prompt type htpasswd.exe
Follow the instructions especially the part about Windows and the m switch.


Easier if you like is to use an online Generator and here is but one of many:
http://www.webmaster-toolkit.com/htacce ... ator.shtml

When you have a valid .htpasswd file just replace your own and follow the paths Glitz outlined - but I did read that a full path including the drive letter should be used.
C:/xampp/htdocs/forbidden/.htpasswd


I tried the online generator, and it worked. Weird.

Thanks tho, to both of ya. I'll try playing around with it :). Thanks alot for all the help, glitzi85.

If anyone is interested it generated this:

.htacess
AuthUserFile C:\\xampp\\htdocs\\forbidden/.htpasswd
AuthGroupFile /dev/null
AuthName "Password Protected Area"
AuthType Basic

<limit GET POST>
require valid-user
</limit>
JonNielsen
 
Posts: 19
Joined: 13. November 2008 06:09

Postby glitzi85 » 25. November 2008 20:40

Yes, that's really weird. Just recognized that this folder exists by default from XAMPP, also the included files. Here it works without any problems...

I'm glad that it is working now for you.

glitzi
User avatar
glitzi85
 
Posts: 1920
Joined: 05. March 2004 23:26
Location: Dahoim


Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 99 guests