Preventing Access to Directory Path From Client Browsers

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
parka
Forum Commoner
Posts: 52
Joined: Mon Feb 26, 2007 6:48 am

Preventing Access to Directory Path From Client Browsers

Post by parka »

How can I prevent access to a directory when users type in the URL address?

E.g. Users should be redirected back to homepage when accessing, let's say, the 'inc' directory.
- webpage.com/inc
- webpage.com/inc/login_user.php
- webpage.com/inc/data/registration.php

But I would need the PHP scripts to be able to access the 'inc' folder because the processing files are there.

I tried mod_rewrite, but it would redirect the address with everything appended behind.
If I try to access "http://webpage.com/inc/somefile.php", I would get redirected to "http://webpage.com/somefile.php". It should be redirected to "http://webpage.com" instead. Wondering if it's the right place to use mod_rewrite

Thanks in advance for any help.
User avatar
vargadanis
Forum Contributor
Posts: 158
Joined: Sun Jun 01, 2008 3:48 am
Contact:

Re: Preventing Access to Directory Path From Client Browsers

Post by vargadanis »

The solution is a lot simpler. Either you add .htaccess file and deny all, or set up Apache config file to deny all to access (includes will still be possible if I remember OK) or simply add an index.html or php file to the dir which redirects from the URL. Also I would add a robots.txt file so that bots would not includes the content of the dir into their databases.

Code: Select all

<script>window.location="../index.php"</script>
parka
Forum Commoner
Posts: 52
Joined: Mon Feb 26, 2007 6:48 am

Re: Preventing Access to Directory Path From Client Browsers

Post by parka »

Thanks.

If I were to just put a "index.php" file in every directory, does that solve anything? It might be harder for intruders to understand the directory structure. If the intruders type in something like "http://webpage.com/inc/login.php", they will get a blank document parsed back.

I'm just worried about security.
User avatar
vargadanis
Forum Contributor
Posts: 158
Joined: Sun Jun 01, 2008 3:48 am
Contact:

Re: Preventing Access to Directory Path From Client Browsers

Post by vargadanis »

Yes... Security is an issue that all programmers need to consider. However an .htaccess file might solve the problem. I do not quite know how but I think it is possible to deny all requests from browsers but not from the server. Therefore it provides relative safety. IT is possible by editing the apache virtual hosts file as well if you can access it.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Preventing Access to Directory Path From Client Browsers

Post by Mordred »

Best solution is to place include files outside of the web root
Next best thing is to .htaccess Deny
mpetrovich
Forum Commoner
Posts: 55
Joined: Fri Oct 19, 2007 2:02 am
Location: Vancouver, WA, USA

Re: Preventing Access to Directory Path From Client Browsers

Post by mpetrovich »

parka wrote:I tried mod_rewrite, but it would redirect the address with everything appended behind.
If I try to access "http://webpage.com/inc/somefile.php", I would get redirected to "http://webpage.com/somefile.php". It should be redirected to "http://webpage.com" instead. Wondering if it's the right place to use mod_rewrite
What you are asking can be done. You have an error in your mod_rewrite.

If you want to be really strict, you can redirect anything that does not fall in desired folders to be redirected to a home page. Now, what is great is that mod_rewrite does not affect PHP scripts and your ability to include things.

Code: Select all

<Files .htaccess>
order allow,deny
deny from all
</Files>
DirectoryIndex index.php
Options +FollowSymlinks
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !^(.*)/images/(.*)$
RewriteCond %{REQUEST_FILENAME} !^(.+)/robots.txt$
RewriteCond %{REQUEST_FILENAME} !^(.*)/index.php$
RewriteRule ^(.*)\.* index.php?$1
So, if you did something like this, you could only access the images directory and the robots.txt file. Everything else that tried to be accessed would pop into index.php. Now, the way I wrote this, the query string for index.php will be the file name (the $1). So, if someone accessed "/inc/somefile.php" the server would run index.php and send in "/inc/somefile.php" as the Query String. Your index.php can then figure out what to do with that.
Post Reply