Limit WAMP file system access

Question

I have a WAMP stack installed in my PC. Yesterday, I was working with file system with PHP and noticed that I can access any directory in my hard disk even above the website document root directory. This is a clear security issue that I want to avoid.

Currently, I am using several virtual hosts in my WAMP stack along with custom domain using hosts file.

I am looking for some configuration that I can made in httpd.conf file or better if possible in .htaccess file that will limit the access of scripts in various sites to their document root. It will be better if the code doesn't require any changes when I add or remove virtual hosts.

Can PHP from browser access files above your `DocumentRoot` folder? — anubhava, Jan 06 '14 at 13:13
This is why you don't install wamp. Apache doesn't provide a way of editing or deleting directory listings. What are you seeing that lets you delete files? This is the simplest answer http://stackoverflow.com/a/4400412/46675 — Mike B, Jan 06 '14 at 13:34
@MikeB All these PHP function works. `chdir("x:\");` `getcwd();` — , Jan 06 '14 at 13:38
@SantaClaus That has nothing to do with Apache. http://php.net/manual/en/ini.core.php#ini.open-basedir — Mike B, Jan 06 '14 at 13:39
@MikeB Is it possible to set `open_basedir` to `documentroot` of each virtual host so that you don't have to do it every time you add a virtual host? — , Jan 06 '14 at 13:48
You can do it in the vhost file.. so every time you add a vhost you set open_basedir to the same doc root. `php_admin_value open_basedir X:\ ` — Mike B, Jan 06 '14 at 13:51
@MikeB Is it possible to avoid manual changes every time I create a virtual host? Maybe some regular expression. Seems like No. Anyway, thanks for help — , Jan 06 '14 at 13:56

RiggsFolly · Answer 1 · 2014-01-08T09:10:19.310

I think you are approaching this from the wrong perspective.

By default Apache should be told it has access to nothing on the drive by putting something like this in the httpd.conf file

<Directory />
    Options FollowSymLinks
    AllowOverride None
    Order deny,allow
    Deny from all
</Directory>

Then in each of your Virtual Hosts definintions you specify what directories that site has access to like so.

<VirtualHost *:80>
    DocumentRoot "C:/websites/www/site1"
    ServerName site1.dev
    ServerAlias www.site1.dev
    Options Indexes FollowSymLinks
    <Directory  "C:/websites/www/site1">
        Order Deny,Allow
        Deny from all
        # This is my development version of site1.com and only allowed to be used on my internal network  
        Allow from 127.0.0.1 localhost ::1 192.168.2
    </Directory>
    ErrorLog "C:/websites/dev_logs/apache_error.log"
    CustomLog "d:/websites/dev_logs/apache_access.log" combined
</VirtualHost>

Alternatively if you want to allow access from the internet change the Order and Allow like this

<VirtualHost *:80>
    DocumentRoot "C:/websites/www/site1"
    ServerName site1.com
    ServerAlias www.site1.com
    Options Indexes FollowSymLinks
    <Directory  "C:/websites/www/site1">
        Order Allow,Deny
        # This is the live site can be accessed from the internet
        Allow from all
    </Directory>
    ErrorLog "C:/websites/live_logs/apache_error.log"
    CustomLog "d:/websites/live_logs/apache_access.log" combined
</VirtualHost>

By using this mechanism you know that by default apache cannot access any folders on your system without specifically granting access from within the Virtual Hosts definition.

I did the same but it allows everything in my PC but remote users cannot acces both home page and website — Rubin Anbin, Oct 28 '20 at 09:07
@RubinAnbin Ask a question, giving all the relevant information — RiggsFolly, Oct 28 '20 at 14:59

score -1 · Answer 2 · answered Jan 06 '14 at 13:42

People should not ever be able to access folders you haven't allowed in any virtual hosts in conjunction with the .htaccess files

If you have a virtual host, say ben.mydevelopment which routes to a certain folder, there will be no way to "go up", you cannot access folders "above" that one.

You can use the .htaccess file to deny access to certain folders by using

Deny from all

and placing it in the relevant folders. You cannot block a whole filesystem since apache shouldn't serve you entire filesystem to start with.

Can you list the folders that you've been able to gain access to and the ones on which apache are running (either through the main config or virtual hosts)?

(Note: Also, I wouldn't worry too much about people being able to access your data, most firewalls deny inbound connections over HTTP and almost all home routers refuse inbound connections and don't know which computer to connect them to, so unless you've intentionally tried to setup you're own live web server, then you should be fine)

I'm trying to help, I've provided all the advice I can given the limited information you've provided. How can I help? — BLewis, Jan 06 '14 at 13:49
This is not what I am looking for. I want to prevent PHP from accessing other directories — , Jan 06 '14 at 13:49

Limit WAMP file system access

2 Answers2

Linked

Related