Google Answers Logo
View Question
 
Q: .htaccess blocks exploit of PHP file by banning those not referred within domain ( No Answer,   2 Comments )
Question  
Subject: .htaccess blocks exploit of PHP file by banning those not referred within domain
Category: Computers > Programming
Asked by: alakon2-ga
List Price: $3.00		 Posted: 27 Apr 2004 14:01 PDT
Expires: 27 May 2004 14:01 PDT
Question ID: 337191 
We are having a continuing problem with script kiddies exploiting
holes in PHPnuke 6.0. They are often able to pass variables to the
admin.php file. I'd like add another line of security by using
.htaccess to block "hotlinking" of admin.php. That is, all requests to
"admin.php?op=" must be referred from within our domain name. I
understand there would be many ways to defeat this (that is, the
browser itself might be able to spoof the referrer code), but it
appears our ?hackers? are usually script kiddies looking to exploit
the largest number of sites in the least amount of time

My own attempt at writing the .htaccess code is as follows, but it
isn't working (as I have very little programming background), however
it may help communicate what I?d like to do:

RewriteCond %{HTTP_REFERER} !^http://www.example.com/.*$ [NC]
RewriteRule admin.php?op=$ - [F]
#ReWriteRule admin.php?op=.*\.php$ http://www.example.com/error.htm [R,L]
Clarification of Question by alakon2-ga on 28 Apr 2004 07:03 PDT 
In response to Gourav Jain's comment, we have a large number of
editors who need to access the system. It would be difficult to
impliment as they frequently access the site from different locations.
Answer  
There is no answer at this time.

Comments  
Subject: Re: .htaccess blocks exploit of PHP file by banning those not referred within domain
From: gouravjain-ga on 28 Apr 2004 03:54 PDT		  
Hi,
You can deny the requests from other IP/Domain by putting the
following lines in your .htaccess file.

order allow,deny
allow from <Your IP/Domain>
deny from all

for more detail on the .htaccess you can refer on the following URL

http://wsabstract.com/howto/htaccess.shtml

Gourav Jain
Subject: Re: .htaccess blocks exploit of PHP file by banning those not referred within domain
From: ehacked-ga on 28 Apr 2004 08:09 PDT		  
Put this in the folder where admin.php resides:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://.*YOURWEBSITEHERE.com.*$      [NC]
RewriteRule .*\.(php)$ http://YOURWEBSITEHERE.com [R,NC]

Make sure this is specifically in the folder that contains admin.php
only! You don't want it anywhere else because you obviously still want
people to link to the rest of your website.

For added security, you can create a simple HTML page with only a link
to your admin page, and put it in a random folder. Make sure to change
"http://.*YOURWEBSITEHERE.com.*" to
"http://.*YOURWEBSITEHERE.com/FOLDERHERE" or else it won't matter
where you put that secret file. This will make it so you can only that
one file can access it.

At least, this should theoratically work.
Important Disclaimer: Answers and comments provided on Google Answers are general information, and are not intended to substitute for informed professional medical, psychiatric, psychological, tax, legal, investment, accounting, or other professional advice. Google does not endorse, and expressly disclaims liability for any product, manufacturer, distributor, service or service provider mentioned or any opinion expressed in answers or comments. Please read carefully the Google Answers Terms of Service.

If you feel that you have found inappropriate content, please let us know by emailing us at answers-support@google.com with the question ID listed above. Thank you.
Search Google Answers for
Google Answers  

Google Home - Answers FAQ - Terms of Service - Privacy Policy