1

I seem to have run into a situation where .htaccess files were able to successfully shut down a website of mine by denying server side PHP access to everything but the loading widget. Is there a way to prevent users from sniffing around the directories of the site (ie finding includes, images directory etc) while allowing scripts on the server to still access them properly? If so, how would I go about doing that?

I have attempted following another stackoverflow question

order deny,allow
deny from all
allow from 127.0.0.1

but it also produces the same issue. For example, if the .htaccess file in /img/ contains those lines (and only those lines), then the images on pages will not load.

Markyroson
  • 109
  • 10
  • What OS is the server running? – gview Dec 25 '18 at 07:22
  • Your question seems to contain contradictions. A site only visible from localhost by its definition will not allow images to load, unless you are running a browser on the server. Command line php can be used to do non public "serverside" activities, and does not have nor need the concept of a document root or public http access. Please clarify. – gview Dec 25 '18 at 07:28
  • My apologies. What I want is for readers to not be able to visit the subdirectories, but not to interfere with the server delivering web pages (in this case, index.php). The server OS is currently unknown to me as it is shared hosting ("Super Premium" plan) with ifastnet. For instance, if images are stored in /img/ I don't want visitors being able to poke around mysite.domain/img, but still want any pages including images from there to be able to get them and load for visitors. – Markyroson Dec 26 '18 at 09:02

1 Answers1

1

Since you have limited options with your shared hosting, the first thing to point out is that File system permissions are very important. If the user was able to exploit your site and write or change a file on the filesystem inside your webroot, that is very bad. File system permissions should not allow the web process to write files in any directory other than one(s) you specifically have set up for that purpose.

Given that caveat, here is a solution that handles individual directories like your /img directory.

Create this .htaccess file in the /img directory:

order allow,deny
<Files ~ "\.(jpg|jpeg|png|gif|bmp)$">
   allow from all
</Files>

This will allow normal functioning for access to image files and disallow access to anything else.

Hopefully you can also see the pattern used here, where you are whitelisting the extensions of files that you will allow. You can use this same idea for any other directories you have if you want.

gview
  • 14,876
  • 3
  • 46
  • 51