Apache Directives

  • rjmthezonenet
  • Expert
  • Expert
  • User avatar
  • Posts: 526
  • Loc: St. John's, Newfoundland, Canada

Post 3+ Months Ago

It was suggested that a sick web server could send unprocessed .php files to the client; potentially exposing sensitive code. Could an Apache file directive prevent sending .php files unless they were processed?

The Apache Files directive could prevent an extension completely, but that would prevent all PHP scripts.

For example, this Files directive (untested) matches files ending in .inc., denying requests for these files.

Code: [ Select ]
<Files ~ "\.(inc)$">
  Order allow,deny
  Deny from all
  Satisfy All
</Files>
  1. <Files ~ "\.(inc)$">
  2.   Order allow,deny
  3.   Deny from all
  4.   Satisfy All
  5. </Files>


What if something similar was placed inside a test for a module?

Code: [ Select ]
<IfModule !mod_php4.c>
  <Files ~ "\.(php)$">
    Order allow,deny
    Deny from all
    Satisfy All
  </Files>
</IfModule>
  1. <IfModule !mod_php4.c>
  2.   <Files ~ "\.(php)$">
  3.     Order allow,deny
  4.     Deny from all
  5.     Satisfy All
  6.   </Files>
  7. </IfModule>


(The line <Files ~ "\.(php)$"> was originally posted as <Files ~ "\.(inc)$">.)

Should the server deny all PHP files if the module crashed and burned on startup? Could a solution similar to this be put into effect if the module crashed and burned after startup?
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • _Leo_
  • Proficient
  • Proficient
  • User avatar
  • Posts: 279
  • Loc: Buenos Aires, Argentina

Post 3+ Months Ago

The problem is, the webserver will send unparsed PHP to the client if the PHP module fails. Therefore, the solution should be module independent. I think the best try is using the filename/extension filter and using the desired PHP extensions strictly to name your files. That way you will be sure no PHP file will go to the cliente if PHP module fails.
  • rjmthezonenet
  • Expert
  • Expert
  • User avatar
  • Posts: 526
  • Loc: St. John's, Newfoundland, Canada

Post 3+ Months Ago

_Leo_ wrote:
...using the filename/extension filter and using the desired PHP extensions strictly to name your files.


Please explain.
  • _Leo_
  • Proficient
  • Proficient
  • User avatar
  • Posts: 279
  • Loc: Buenos Aires, Argentina

Post 3+ Months Ago

Ok, you configure your server for user PHP. Then you tell Apache to send .php and .php3 files to PHP module. If you are going to use .inc as an extra PHP file extension, then you must add .inc to PHP module configuration at Apache .conf file. Then, as long as PHP module works ok, there is no way to get to the PHP source code.

Here we need a fall back configuration , if the PHP module is not working, we should disallow .php, .php3 and .inc files being downloaded.
I'm not quite sure how to do it right now, I will think about it and try some workarround when back from lunch :)
  • rjmthezonenet
  • Expert
  • Expert
  • User avatar
  • Posts: 526
  • Loc: St. John's, Newfoundland, Canada

Post 3+ Months Ago

Code: [ Select ]
<Files ~ "\.(inc)$">
  Order allow,deny
  Deny from all
  Satisfy All
</Files>
  1. <Files ~ "\.(inc)$">
  2.   Order allow,deny
  3.   Deny from all
  4.   Satisfy All
  5. </Files>


Wouldn't this protect .inc files as well as not depend on a healthy PHP module?
  • rjmthezonenet
  • Expert
  • Expert
  • User avatar
  • Posts: 526
  • Loc: St. John's, Newfoundland, Canada

Post 3+ Months Ago

I realized a minor typo in my original post. What I meant to suggest was that a failed PHP module could be tested and .php files could be conditionally blocked.

Code: [ Select ]
<IfModule !mod_php4.c>
  <Files ~ "\.(php)$">
    Order allow,deny
    Deny from all
    Satisfy All
  </Files>
</IfModule>
  1. <IfModule !mod_php4.c>
  2.   <Files ~ "\.(php)$">
  3.     Order allow,deny
  4.     Deny from all
  5.     Satisfy All
  6.   </Files>
  7. </IfModule>


(The line <Files ~ "\.(php)$"> was originally posted as <Files ~ "\.(inc)$">.)
  • _Leo_
  • Proficient
  • Proficient
  • User avatar
  • Posts: 279
  • Loc: Buenos Aires, Argentina

Post 3+ Months Ago

Well, after trying a couple of things. It is really difficult to start the Apache if the PHP module is broken. The only way I found was disabling the module. In this case, a pice of code already posted will work ok:
Code: [ Select ]
<IfModule !mod_php4.c>
<Files ~ "\.php">
  Order allow,deny
  Deny from all
</Files>
</IfModule>
  1. <IfModule !mod_php4.c>
  2. <Files ~ "\.php">
  3.   Order allow,deny
  4.   Deny from all
  5. </Files>
  6. </IfModule>


Adding the whole extensions list to the regular expression.

The valid test would be killing (somehow) the PHP module without killing the Apache server for checking if, in that case, the PHP code gets exposed. I think this is not an easy thing to happen. I wonder:

What kind of PHP script is too good to worth the effort?

There are so many open source systems (written in PHP) out there that I can't think of a script doing something really original.
For security matters, moving a few scripts to a safe (out of document root directory) location is enough.
  • rjmthezonenet
  • Expert
  • Expert
  • User avatar
  • Posts: 526
  • Loc: St. John's, Newfoundland, Canada

Post 3+ Months Ago

Fair enough, if Apache won't start with a broken PHP module, then the point is moot. Thanks for help. :-)
  • rjmthezonenet
  • Expert
  • Expert
  • User avatar
  • Posts: 526
  • Loc: St. John's, Newfoundland, Canada

Post 3+ Months Ago

Althought, it couldn't hurt to run a single conditional statement that is only considered on server load. Just one extra step, paranoid, but just one extra step. :-)

Post Information

  • Total Posts in this topic: 9 posts
  • Users browsing this forum: No registered users and 55 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
cron
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.