Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
Gremmie
Former Moderator in Good Standing


Joined: Apr 06, 2006
Posts: 2415
Location: Iowa, USA

PostPosted: Tue Jun 06, 2006 5:51 pm Reply with quote

I used Sentinel to setup CGIAuth, following the instructions found in another thread here. It seems to be working. My question is: Do you just leave the permissions on .htaccess and .staccess at 0777?

Thanks.
 
View user's profile Send private message
gregexp
The Mouse Is Extension Of Arm


Joined: Feb 21, 2006
Posts: 1497
Location: In front of a screen....HELP! lol

PostPosted: Tue Jun 06, 2006 6:15 pm Reply with quote

u cant change that to whatever permission u like...till u want it to write to it...like i personally wouldnt leave the .staccess writeable...so id chmod it to 444

but the .htaccess should remain at 666 if i want it to ban ips bt writing to the .htaccess

_________________
For those who stand shall NEVER fall and those who fall shall RISE once more!! 
View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number
kguske
Site Admin


Joined: Jun 04, 2004
Posts: 6383

PostPosted: Tue Jun 06, 2006 6:35 pm Reply with quote

The .htaccess prevents other scripts from touching itself or the .staccess. So you shouldn't have to change the permissions. Also, if you use .htaccess to store your blocked IPs, changing the permissions will cause NukeSentinel to fail.

_________________
I google, therefore I exist...
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
gregexp
PostPosted: Tue Jun 06, 2006 6:41 pm Reply with quote

i had no idea that .htaccess had that kinda capability...i stand corrected

thanx for showin me this kguske
 
kguske
PostPosted: Tue Jun 06, 2006 6:52 pm Reply with quote

No problem. Take a look at the contents of htaccess after it's generated by NukeSentinel - I think most of it is pretty self-explanatory.
 
Gremmie
PostPosted: Tue Jun 06, 2006 8:13 pm Reply with quote

Thanks.

But about .htaccess. How does it protect itself? I didn't see anything about .htaccess explicitly in the sample.htaccess that came with sentinel. I did see a deny for .ftaccess (whatever that is), and .staccess was added when I used Sentinel to do the CGIAuth thing.

Or does Apache just automatically protect .htaccess?

Thanks in advance.
 
kguske
PostPosted: Wed Jun 07, 2006 10:03 am Reply with quote

That's a good question. I think it's automatic.
 
Tao_Man
Involved
Involved


Joined: Jul 15, 2004
Posts: 252
Location: OKC, OK

PostPosted: Wed Jun 07, 2006 10:35 am Reply with quote

Well unless someone set up the server in a really stupid way it is covered.

If the server has been set up securily and someone hasn't overridden in a higher .htaccess files or someplace like httpd.conf you are fine

_________________
------------------------------------------
To strive, to seek, to find, but not to yield!
I don't know Kara-te but I do know cra-zy, and I WILL use it! 
View user's profile Send private message Visit poster's website
leo51
Worker
Worker


Joined: Sep 09, 2004
Posts: 106
Location: Canada

PostPosted: Sat Jun 10, 2006 3:29 pm Reply with quote

Tao_Man wrote:
Well unless someone set up the server in a really stupid way it is covered.

If the server has been set up securily and someone hasn't overridden in a higher .htaccess files or someplace like httpd.conf you are fine


Hi Tao_Man, Sorry to ask but could you be a little more specific for someone as I am becaus Don't get what you are saying because I have looked at a httpd.conf file on a friend's server and what's in there is:
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files> yet I could still see text in the htaccess from the browser. However, at the moment the couple of hta files there are blank so there is no real issue but I wanted to fix it for him in the event that he to use htacess for good reasons.

Thanks
 
View user's profile Send private message Visit poster's website MSN Messenger
kguske
PostPosted: Sat Jun 10, 2006 3:36 pm Reply with quote

Deny from all does the trick. That basically says no one outside this server can read that file.
 
leo51
PostPosted: Sat Jun 10, 2006 4:01 pm Reply with quote

kguske wrote:
Deny from all does the trick. That basically says no one outside this server can read that file.


Yes, correct kg, but what I am saying is that if I put a htaccess file in a folder as this for example:
AuthUserFile /whatever/whatever/.htpasswd
AuthGroupFile /dev/null
AuthName Whatevernane
AuthType Basic
<Limit GET>
require valid-user
</Limit>

and I go to the browser and type the path to the htaccess file I am able to read the text and I don't think that should be possible but if I would to use this example:
AuthUserFile /whatever/.htpasswd
AuthGroupFile /dev/null
AuthName "Whatevername"
AuthType Basic
<Limit GET>
require user goodadmin
</Limit>

Then its not possile to read the text from the browser. Look at the line between the Limit Get
 
Tao_Man
PostPosted: Mon Jun 12, 2006 11:14 am Reply with quote

leo51 wrote:

<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>


The above should block access to .htaccess or .htpaswd

If it is not working, I would say you have a setup problem on your server. Most likley a silly question but your sure those lines are not commeted out?

One other thing to check, .htaccess files cover that directory and all under it so there way be a .htaccess file in a higher directory that is overwriteing what you have in httpd.conf. Work your way up each directory and look for a .htaccess file and see if it has anything in it
 
leo51
PostPosted: Fri Jun 16, 2006 9:46 am Reply with quote

Thanks for the response. I did check that server again did not see any other .htaccess file so it might just be a badly setup server and which directory could be higher than? \ root (lol)

UPDATE:

fix: added it as this:

<Files ~ "^\.ht">
Options None
AllowOverride None
Order deny,allow
Deny from all
</Files>
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©