PDA

View Full Version : i need a little help with .htaccess



maslove23
09-22-2008, 03:03 PM
hello how are you all?

i'm still new in the forums and i need a little help


i have an uploading script and hackers are able to uploads php from it


how can i stop it with the .htaccess?


there's code for it but i don't know it


please hlep

schorhr
09-22-2008, 05:41 PM
Here is a easy but powerfull htaccess-password manager that will allow you to set a htaccess/password for multiple users.
This way everything within the folder/directory can only be accessed by password.
If you have your uploadscript in the same directory as everything else, create a subdirectory. You will then need to change the upload path of that script so the uploads do not end up in the password protected folder unless the uploads are accessed only by yourself anyway!

The original is not online anymore ( http://www.hotscripts.com/Detailed/15507.html - http://www.krizleebear.de/phpaccess/dynamisch/index.php?pageID=5 ) so I uploaded it here:
http://wap.cc/ae/aqua/ht.txt
http://www.nottoxic.com/wapcc/ae/aqua/ht.txt

You need to change the username/password of course, rename it to ht.php, and just point your browser to it once its uploaded correctly.

maslove23
09-22-2008, 09:12 PM
thank you so much that was really helpful. but if i did that and they still able to upload php shells is it gonna be useful. i'm wandering if there's codes to stop php to be uploaded. basically forbid them to upload it even if the script scan didn't catch it. thank you again

schorhr
09-22-2008, 09:43 PM
Oh, I thought you just wanted password protection to avoild people accessing the script (so not everybody can upload stuff, which you could do with a password field instead if you dont like htaccess/password).

All kinds of solutions in this forum topic
http://www.phpbuilder.com/board/archive/index.php/t-10293142.html

or place something like this in a htaccess file:
AddType text/html .php
AddType text/html .phtml
AddType text/html .php4
AddType text/html .php3
AddType text/html .ssi
AddType text/html .cgi


Also you could unset chmod rights (execute...)

maslove23
09-23-2008, 12:16 AM
thank you again. i'm really new at this so i don't really know what should i do. the chmod should be on 777 or it won't upload. and 777 is dangerous thing. so should i add on the htaccess this:

AddType text/html .php
AddType text/html .phtml
AddType text/html .php4
AddType text/html .php3
AddType text/html .ssi
AddType text/html .cgi


like this or with something,


sorry for the trouble but i'm really new at it

thank you again

djr33
09-23-2008, 12:26 AM
The easiest way is to, in your uploading script, CHECK the file extension. If it is an image form, for example, then you can just allow .jpg .gif and .png; that's all, and you're done. No matter what they upload with a .gif extension (PHP code, an image, or anything else), it will never be processed as PHP in a dangerous way on your server.
It's better to have an OK-list of file extensions (like "jpg gif png"), than to disallow the harmful ones (like "php"), because they could use another format you didn't think of.
If you need more specific help, we'd need to see part of your code.

.htaccess may work, but I don't see the point of using two languages to solve one problem.