Forum
how prevent .php to be downloaded?
guy
28 May 2016, 16:50
Hello,
I'm testing hiawatha with few virtualhosts, all work fine, but when for security check I triest to download .php file, I was able, so config file with password, etc, acn be downloaded using wget.
here part of config:
I'm testing hiawatha with few virtualhosts, all work fine, but when for security check I triest to download .php file, I was able, so config file with password, etc, acn be downloaded using wget.
here part of config:
FastCGIserver {
FastCGIid = PHP7
ConnectTo = /run/php/php7.0-fpm.sock
Extension = php
}
UrlToolkit {
ToolkitID = wordpress
RequestURI exists Return
Match .*\?(.*) Rewrite /index.php?$1
Match .* Rewrite /index.php
}
VirtualHost {
Hostname = my-domain.com, www.my-domain.com
WebsiteRoot = /home/my-domain/public_html
AccessLogfile = /var/log/hiawatha/my-domain.com/access.log
ErrorLogfile = /var/log/hiawatha/my-domain.com/error.log
StartFile = index.php
TimeForCGI = 60
UseFastCGI = PHP7
CustomHeader = X-Frame-Options: sameorigin
CustomHeader = Vary: Accept-Encoding
RandomHeader = 64
UseToolkit = wordpress
EnforceFirstHostname = yes
PreventXSS = yes
PreventCSRF = yes
PreventSQLi = yes
}
guy
28 May 2016, 17:10
UrlToolkit {
ToolkitID = wordpress
Match .php DenyAccess ## very important to prevent direct wget / download access to files
Match .xml DenyAccess ## very important to prevent direct wget / download access to files
RequestURI exists Return
Match .*\?(.*) Rewrite /index.php?$1
Match .* Rewrite /index.php
}
guy
28 May 2016, 17:12
UrlToolkit amended like above just solve it
Hugo Leisink
28 May 2016, 18:15
When a .php file is configured as a CGI (via CGIhandler or FastCGIserver{}), you should not be able to download the source. Could it be you're downloading the sources via another virtual host?
Guy
29 May 2016, 09:39
I use debian 8 on my server, In my previous case, I was able to download the source from my home computer but not as being on same network or server or virtual host as my website (my server/website is hosted with cloud provider), so:
Without the above amended code in the config (download source is possible):
----------------------------------------------------------------------------------------------------------------------------------
lubutun@lubutun-MSI-Notebook-VR610:~/Téléchargements/test$ wget http://MY-SITE.COM/wp-config.php
--2016-05-29 09:35:02-- http://MY-SITE.COM/wp-config.php
Résolution de MY-SITE.COM (MY-SITE.COM)... 108.161.128.170
Connexion vers MY-SITE.COM (MY-SITE.COM)|108.161.128.170|:80... connecté.
requête HTTP transmise, en attente de la réponse... 200 OK
Taille : non spécifié [text/html]
Enregistre : «wp-config.php»
[ <=> ] 0 --.-K/s ds 0s
2016-05-29 09:35:03 (0,00 B/s) - «wp-config.php» enregistré [0]
lubutun@lubutun-MSI-Notebook-VR610:~/Téléchargements/test$
With amended code in the config, as said in above post (no download allowed):
-----------------------------------------------------------------------------------------------------------------
lubutun@lubutun-MSI-Notebook-VR610:~$ cd /home/lubutun/Téléchargements/test
lubutun@lubutun-MSI-Notebook-VR610:~/Téléchargements/test$
lubutun@lubutun-MSI-Notebook-VR610:~/Téléchargements/test$ wget http://MY-SITE.COM/wp-config.php
--2016-05-29 09:32:36-- http://MY-SITE.COM/wp-config.php
Résolution de MY-SITE.COM (MY-SITE.COM)... 108.161.128.170
Connexion vers MY-SITE.COM (MY-SITE.COM)|108.161.128.170|:80... connecté.
requête HTTP transmise, en attente de la réponse... 403 Forbidden
2016-05-29 09:32:36 ERREUR 403: Forbidden.
Without the above amended code in the config (download source is possible):
----------------------------------------------------------------------------------------------------------------------------------
lubutun@lubutun-MSI-Notebook-VR610:~/Téléchargements/test$ wget http://MY-SITE.COM/wp-config.php
--2016-05-29 09:35:02-- http://MY-SITE.COM/wp-config.php
Résolution de MY-SITE.COM (MY-SITE.COM)... 108.161.128.170
Connexion vers MY-SITE.COM (MY-SITE.COM)|108.161.128.170|:80... connecté.
requête HTTP transmise, en attente de la réponse... 200 OK
Taille : non spécifié [text/html]
Enregistre : «wp-config.php»
[ <=> ] 0 --.-K/s ds 0s
2016-05-29 09:35:03 (0,00 B/s) - «wp-config.php» enregistré [0]
lubutun@lubutun-MSI-Notebook-VR610:~/Téléchargements/test$
With amended code in the config, as said in above post (no download allowed):
-----------------------------------------------------------------------------------------------------------------
lubutun@lubutun-MSI-Notebook-VR610:~$ cd /home/lubutun/Téléchargements/test
lubutun@lubutun-MSI-Notebook-VR610:~/Téléchargements/test$
lubutun@lubutun-MSI-Notebook-VR610:~/Téléchargements/test$ wget http://MY-SITE.COM/wp-config.php
--2016-05-29 09:32:36-- http://MY-SITE.COM/wp-config.php
Résolution de MY-SITE.COM (MY-SITE.COM)... 108.161.128.170
Connexion vers MY-SITE.COM (MY-SITE.COM)|108.161.128.170|:80... connecté.
requête HTTP transmise, en attente de la réponse... 403 Forbidden
2016-05-29 09:32:36 ERREUR 403: Forbidden.
guy
30 May 2016, 09:18
Thanks Hugo,
In complement, I tried on a wordpress website (not from me), As I know it's use hiawatha, and I was able to to download .php file:
here below, I removed 4 characters in the URL **** , but you should be able to know what's the real URL & try by your own.:
-----------------------
lubutun@lubutun-MSI-Notebook-VR610:~/Téléchargements/test$ wget http://****alm.org/index.php
--2016-05-30 09:06:54-- http://****alm.org/index.php
Résolution de ****alm.org (****alm.org)... 75.141.203.192
Connexion vers ****alm.org (****alm.org)|75.141.203.192|:80... connecté.
requête HTTP transmise, en attente de la réponse... 301 Moved Permanently
Emplacement: http://****alm.org/ [suivant]
--2016-05-30 09:06:55-- http://****alm.org/
Réutilisation de la connexion existante vers ****alm.org:80.
requête HTTP transmise, en attente de la réponse... 200 OK
Taille : non spécifié [text/html]
Enregistre : «index.php»
[ <=> ] 42.906 106KB/s ds 0,4s
2016-05-30 09:06:56 (106 KB/s) - «index.php» enregistré [42906]
---------------------------------
In complement, I tried on a wordpress website (not from me), As I know it's use hiawatha, and I was able to to download .php file:
here below, I removed 4 characters in the URL **** , but you should be able to know what's the real URL & try by your own.:
-----------------------
lubutun@lubutun-MSI-Notebook-VR610:~/Téléchargements/test$ wget http://****alm.org/index.php
--2016-05-30 09:06:54-- http://****alm.org/index.php
Résolution de ****alm.org (****alm.org)... 75.141.203.192
Connexion vers ****alm.org (****alm.org)|75.141.203.192|:80... connecté.
requête HTTP transmise, en attente de la réponse... 301 Moved Permanently
Emplacement: http://****alm.org/ [suivant]
--2016-05-30 09:06:55-- http://****alm.org/
Réutilisation de la connexion existante vers ****alm.org:80.
requête HTTP transmise, en attente de la réponse... 200 OK
Taille : non spécifié [text/html]
Enregistre : «index.php»
[ <=> ] 42.906 106KB/s ds 0,4s
2016-05-30 09:06:56 (106 KB/s) - «index.php» enregistré [42906]
---------------------------------
guy
30 May 2016, 11:23
ok, I understand my error, in fact .php downloaded file(s) using wget , are:
index.php but in fact it's html page/code within
wp-config.php , but in fact it's a full empty content file
I fell now better :-)
Guy
index.php but in fact it's html page/code within
wp-config.php , but in fact it's a full empty content file
I fell now better :-)
Guy
Hugo Leisink
30 May 2016, 12:31
Good to hear! 
This topic has been closed.
Copyright © by Hugo Leisink. All rights reserved.
Built upon the Banshee PHP framework.
Built upon the Banshee PHP framework.
