"Browsing" All Directory's

Problems with the Windows version of XAMPP, questions, comments, and anything related.

"Browsing" All Directory's

Postby DeepSpace » 10. October 2003 12:36

Hi.. I Have installed sussefully the Xampp In Win2K But I have some security poblems.
I had resolved the "problem"of the MySQL Pass, that many ppl had spoken on this Forum, by modyfing the phpadmin conf. file like was told. That part of security in now resolved.

But I have one more question, how can I prevent web users to browse other dir's like /xampp /images /fonts etc... Except the /Restricted (it's mod_auth_mysql.conf ON). Can´t be that configured to only local server users to browse those folders?

That's how clear I can describe this :? , and sorry the bad english :wink:
DeepSpace
 

Postby Apache-User » 10. October 2003 12:49

hi deepspace

serch ur httpd.conf for
# This should be changed to whatever you set DocumentRoot to.
#
<Directory "C:/xampp/htdocs">

#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI Multiviews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs-2.0/mod/core.html#options
# for more information.
#
Options Indexes FollowSymLinks MultiViews Includes ExecCGI

remove Indexes in the last line... if u configure more Directorys u can prevent the indexing by just leving it out under Options hope that helps u a little

greetz
mfg
D.A.U.™
User avatar
Apache-User
 
Posts: 594
Joined: 30. December 2002 16:50
Location: anonym

answer to the second part of your message

Postby MAGnUm » 16. October 2003 18:22

to configure access to a folder so only local users can view it is possible in the definition of a mapped directory you can allow access to a certain ip address range (subnet) all the way down to a single ip. if you are running a internal network like 10.10.255.255 or 192.168.1.255 and are behind a router/ firewall this will pose no problem.

so here is the general idea:

<Directory /any_dir>

Order Deny,Allow
Deny from all
Allow from 192.168.1.*

</Directory>

that would go in your httpd.confg file.
~~:M A G n U m:~~
(Disclaimer: if any of this info is confusing or vague tough, its free!!)
User avatar
MAGnUm
 
Posts: 151
Joined: 16. October 2003 18:08
Location: USA

Re: "Browsing" All Directory's

Postby dreniarb » 01. October 2009 19:58

Sorry to resurrect an old post, but I'm having the same problem as the original poster and the suggested changed to the httpd.conf file are not helping.

Basically this little php code right here:

Code: Select all
<?
$fn = "c:/xampp/apache/conf/httpd.conf";
print htmlspecialchars(implode("",file($fn)));
?>


Allows anyone to read and write to this file. in fact, you can replace c:/xampp with c:/windows or c:/documents and settings, etc etc and browse and write to any of those files.

Perhaps this is a php issue, not an apache issue. I just wanted to check in and see if someone could shed some light on this and help me lock down my server before I start allowing people to upload code.

Thanks!
dreniarb
 
Posts: 3
Joined: 01. October 2009 19:43

Re: "Browsing" All Directory's

Postby dreniarb » 02. October 2009 15:02

well, after more research, seems this is mostly a php issue. I've used the open_basedir command to limit scripts to running just inside the htdocs folder. this at least protects my system files, but it doesn't prevent users from browsing each others directories.

if anyone has any suggestions on preventing that from happening with php, and of course perl or any other server side scripting, it'd be much appreciated.
dreniarb
 
Posts: 3
Joined: 01. October 2009 19:43

Re: "Browsing" All Directory's

Postby Gadrin » 02. October 2009 17:53

Well the Apache Bible I have says:

Code: Select all
Disabling default access
A good security model dictates that no default access exists, so get into the habit
of permitting no access at first. Permit specific access only to specific directories.
To implement no default access, use the following configuration segment in
httpd.conf:

<Directory />
Order deny,allow
Deny from all
</Directory>

This disables all access first. Now, if you need to enable access to a particular
directory, use the <Directory . . .> container again to open that directory.
For example, if you want to permit access to /www/htdocs, add the following
configuration:

<Directory “/www/htdocs”>
Order deny,allow
Allow from all
</Directory>

This method—opening only what you need—is a preventive security measure
and is highly recommended. Also, do not allow users to change any directory-wide
configuration options using per-directory configuration file (.htaccess) in
directories that are open for access.


Is that what you mean ? Sorry I'm just starting out with Apache.

>
Gadrin
 
Posts: 27
Joined: 08. April 2009 23:43

Re: "Browsing" All Directory's

Postby dreniarb » 02. October 2009 18:38

That's for standard html. But since php is typically run with the local_system account it has full access to the server and all it's folders.

But with the open_basedir setting, you can restrict script access to certain folders.

There's actually quite a bit of information out there on this, with people running into the same scenarios when running a shared server: "How do I prevent my users from seeing eachothers data?" It's just hard to get the right search terms in. :)

Probably for me the two biggest things I've discovered is that

1. you can set the open_basedir for each virtualhost in the httpd.conf file like so:

Code: Select all
<VirtualHost *:80>
    DocumentRoot "C:/xampp/htdocs/intranet"
    ServerName intranet.marion.com
    ServerAlias intranet
    ErrorLog "logs/intranet.log"
    CustomLog "logs/intranet.log" combined
    php_admin_value open_basedir "c:\xampp\htdocs\intranet;c:\xampp\htdocs\phpmyadmin;c:\xampp\php"
</VirtualHost>


I had to grant access to the phpmyadmin folder and the php folders for phpmyadmin to work...

and

2. disabling some dangerous functions in the php.ini file:

Code: Select all
disable_functions = "diskfreespace, apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode"


Diskfreespace() might not be that big a deal, but I felt it was. :)

I hope there are others out there that can find this helpful.
dreniarb
 
Posts: 3
Joined: 01. October 2009 19:43

Re: "Browsing" All Directory's

Postby Gadrin » 02. October 2009 20:42

Okay, I thought you meant your users were simply chopping off the paths and creating new ones, based off their own folder logic
so they can peek in others. I had thought when you do that (say like http://localhost/test/joeblow) and enter that the browser
requests that directory, Apache looks for a index.html/.htm in that folder can't find one and then is either overridden by the
rules you establish or gives them the directory list.

But, like I said I'm pretty new to the web.

I did save your Explode trick though 8)

>
Gadrin
 
Posts: 27
Joined: 08. April 2009 23:43


Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 120 guests