11 Replies - 4392 Views - Last Post: 03 August 2011 - 12:37 PM

#1 withburninghate  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 5
  • Joined: 01-August 11

How to restrict access to files and folders for visitors?

Posted 01 August 2011 - 08:40 AM

Hello,

How can you make sure that your website visitors can't access anything but the webpages themselves?

For example. Let's say the typical webiste root folder consists of the actual pages(index.php, contactus.php, etc.), and 3 subfolders(images, styles, includes) with relevant files inside of them. So what happens is the user has aceess to any of the files and folders. For example if they type in /styles/style1.css they will see all the contents of that file in plain text, or /includes/security.php, or simply put a folder name into the URL and they'll be presented with FTP view of all files that reside in that particular folder.

How can you restrict the access to those kinds of folders/files to the average visitor? For example if they actually try to access it the website will send them to a custom 404 page always.

TIA

Is This A Good Question/Topic? 0
  • +

Replies To: How to restrict access to files and folders for visitors?

#2 JackOfAllTrades  Icon User is offline

  • Saucy!
  • member icon

Reputation: 5951
  • View blog
  • Posts: 23,212
  • Joined: 23-August 08

Re: How to restrict access to files and folders for visitors?

Posted 01 August 2011 - 10:38 AM

Well you have to provide the browser access to any CSS files or it won't be able to download them and render the content as desired. Same for images. As far as includes/security.php, as long as the webserver is properly configured to run PHP files through the PHP interpreter, and file that has a .php extension will go through the interpreter and nothing of interest will be provided to the end user (unless you actually echo out sensitive values in the file, which would be supremely dumb).
Was This Post Helpful? 0
  • +
  • -

#3 withburninghate  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 5
  • Joined: 01-August 11

Re: How to restrict access to files and folders for visitors?

Posted 01 August 2011 - 12:08 PM

View PostJackOfAllTrades, on 01 August 2011 - 10:38 AM, said:

Well you have to provide the browser access to any CSS files or it won't be able to download them and render the content as desired. Same for images. As far as includes/security.php, as long as the webserver is properly configured to run PHP files through the PHP interpreter, and file that has a .php extension will go through the interpreter and nothing of interest will be provided to the end user (unless you actually echo out sensitive values in the file, which would be supremely dumb).


Let the browser access all the css and image files, no problem. But if the user types in the URL bar the path to a specific file(.css,.php) it gets displayed bare naked. That I want not. Instead show them the "File doesn't exist/not found" error.

For example if you go to some particualr website, right click, view source, find a path to a .css file, copy & go to it you get an error explaining that the path is wrong/you shouldn't be accessing this.

This post has been edited by withburninghate: 01 August 2011 - 12:09 PM

Was This Post Helpful? 0
  • +
  • -

#4 JackOfAllTrades  Icon User is offline

  • Saucy!
  • member icon

Reputation: 5951
  • View blog
  • Posts: 23,212
  • Joined: 23-August 08

Re: How to restrict access to files and folders for visitors?

Posted 01 August 2011 - 05:34 PM

Please provide an example website displaying this behavior. You can't hide the CSS, Javascript, or images from anyone who wants to see it in any event: these are all rendered by the browser, and therefore will be sent to the browser in a state that the browser can render them. I suppose it may be possible to prevent the download of these files by using rewrite rules and HTTP referrers, but referrers can be easily faked. And no properly-configured web server will provide raw PHP code to a bare request for a .php file.
Was This Post Helpful? 0
  • +
  • -

#5 withburninghate  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 5
  • Joined: 01-August 11

Re: How to restrict access to files and folders for visitors?

Posted 02 August 2011 - 07:20 AM

View PostJackOfAllTrades, on 01 August 2011 - 05:34 PM, said:

Please provide an example website displaying this behavior. You can't hide the CSS, Javascript, or images from anyone who wants to see it in any event: these are all rendered by the browser, and therefore will be sent to the browser in a state that the browser can render them. I suppose it may be possible to prevent the download of these files by using rewrite rules and HTTP referrers, but referrers can be easily faked. And no properly-configured web server will provide raw PHP code to a bare request for a .php file.


Any website, even this message board.

Maybe I laid it out wrong. I don't know how to make it any clearer.
I believe it has to do something with htaccess and mod_access.
Was This Post Helpful? 0
  • +
  • -

#6 JackOfAllTrades  Icon User is offline

  • Saucy!
  • member icon

Reputation: 5951
  • View blog
  • Posts: 23,212
  • Joined: 23-August 08

Re: How to restrict access to files and folders for visitors?

Posted 02 August 2011 - 01:30 PM

Well let's see. Here's a CSS link from this page:

<link rel="stylesheet" type="text/css" href="http://cdn3.dreamincode.net/dreamincode/home,_templates2,_styles_7.css,qv==16+home,_templates2,_google_cse.css,qv==2+search,_thickbox.css.pagespeed.cc.ish-NhTM07.css"/>



If I copy and paste that link into a web browser:

Spoiler


OK, now let's check a Javascript link
<script type='text/javascript' src='http://www.dreamincode.net/forums/public/min/index.php?g=js'></script>


Again, copying and pasting that into a browser:
Spoiler


Finally, a raw image and a PHP link:
<div class="tr2"><a href="/code/mod.php"><img src="http://www.dreamincode.net/home/images/envelope_ver2.gif.pagespeed.ce.0F0SUzJ-Zq.gif"><strong><span style="color: #0000FF;">26 New Snippets</span></strong></a></div>


These will require screenshots. First the image:

Attached Image

Now, we'll have to preface that PHP link with http://www.dreamincode.net, but let's see; this one will require a screenshot:

Attached Image

So I'm not sure what you're talking about here.
Was This Post Helpful? 0
  • +
  • -

#7 withburninghate  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 5
  • Joined: 01-August 11

Re: How to restrict access to files and folders for visitors?

Posted 02 August 2011 - 07:23 PM

That's basically it. It's just too easy to find those files on my website. But how can I disable the tree view if user types in the folder name in the url?
Was This Post Helpful? 0
  • +
  • -

#8 Lemur  Icon User is offline

  • Pragmatism over Dogma
  • member icon



Reputation: 1335
  • View blog
  • Posts: 3,398
  • Joined: 28-November 09

Re: How to restrict access to files and folders for visitors?

Posted 02 August 2011 - 08:03 PM

Just stick a blank index.php in there, problem solved.
Was This Post Helpful? 1
  • +
  • -

#9 JackOfAllTrades  Icon User is offline

  • Saucy!
  • member icon

Reputation: 5951
  • View blog
  • Posts: 23,212
  • Joined: 23-August 08

Re: How to restrict access to files and folders for visitors?

Posted 03 August 2011 - 04:32 AM

Wait, so you're getting the directory view if someone types in a url? Assuming Apache, Lemur nailed it.
Was This Post Helpful? 0
  • +
  • -

#10 Lemur  Icon User is offline

  • Pragmatism over Dogma
  • member icon



Reputation: 1335
  • View blog
  • Posts: 3,398
  • Joined: 28-November 09

Re: How to restrict access to files and folders for visitors?

Posted 03 August 2011 - 05:42 AM

Though it would be nice to implement a mod that prevented tree structure from generating or even something to auto-gen blank index.php files in empty directories. Then again, this is beyond the scope of my current knowledge so I have no idea how to go about implementing such a thing.
Was This Post Helpful? 0
  • +
  • -

#11 JackOfAllTrades  Icon User is offline

  • Saucy!
  • member icon

Reputation: 5951
  • View blog
  • Posts: 23,212
  • Joined: 23-August 08

Re: How to restrict access to files and folders for visitors?

Posted 03 August 2011 - 06:24 AM

It's in the core actually: check out Options Index. You can just turn it off.
Was This Post Helpful? 0
  • +
  • -

#12 Lemur  Icon User is offline

  • Pragmatism over Dogma
  • member icon



Reputation: 1335
  • View blog
  • Posts: 3,398
  • Joined: 28-November 09

Re: How to restrict access to files and folders for visitors?

Posted 03 August 2011 - 12:37 PM

The more you know I suppose, I really need to read up more on apache config later on.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1