Question about htaccess file.

[kdogg]

I'm not much up on htaccess files, I know how they work and what they do but I don't know what all the code you can use is for.

 

I'm trying to help a friend with his OsCommerce site and I noticed this in his main root .htaccess file:

 

<Files 403.shtml>

order allow,deny

allow from all

</Files>

 

deny from 60.2.93.xxx

deny from 222.122.19.xxx

deny from 218.186.12.xxx

deny from 65.55.214.xxx

 

 

 

 

Now I know what the "deny" lines do but what is the first part all about? My OsCommerce site has nothing like that.

 

Also, is there a good way to protect the /images/ dir? via htaccess? Someone hacked his site threw the images folder and was running code. I totally reinstalled his site, moved his admin folder and made a honey pot (fake admin) folder and i htaccess'ed a few placed and I added code to the images folder htaccess that will not allow any scripts to run but I want to know if there is a good way to total block access to images?

 

Anything else I missed?

 

Thanks.

[MrPhil]

I don't know why that was done. It seems to be saying that "anyone can see /403.shtml" (one of the Error Documents). Unless there was some code before that was restricting access to /403.shtml (among other files), I don't see why they would need to do that.

 

To prevent code from executing in the images directory, try this .htaccess file (borrowed from Simple Machines Forum):

<Files *>
Order Deny,Allow
Deny from all
Allow from localhost
</Files>
RemoveHandler .php .php3 .phtml .cgi .fcgi .pl .fpl .shtml

 

You can also prevent access to your images by anything other than your own site, by using "hotlink protection":

#RewriteCond %{HTTP_REFERER} !^$  <-- allows browser "command line" access if uncommented
RewriteCond %{HTTP_REFERER} !^http://(www\.)?YourSite\.com(/)?.*$     [NC]  <-- add more lines for subdomains, etc.
RewriteRule .*\.(jpg|jpeg|gif|png|bmp)$ - [F,NC]

Be aware that this won't stop anyone from planting hacked images in the directory, just keep anything but your site from displaying them.

[kdogg]

I don't know why that was done. It seems to be saying that "anyone can see /403.shtml" (one of the Error Documents). Unless there was some code before that was restricting access to /403.shtml (among other files), I don't see why they would need to do that.

 

To prevent code from executing in the images directory, try this .htaccess file (borrowed from Simple Machines Forum):

<Files *>
Order Deny,Allow
Deny from all
Allow from localhost
</Files>
RemoveHandler .php .php3 .phtml .cgi .fcgi .pl .fpl .shtml

 

You can also prevent access to your images by anything other than your own site, by using "hotlink protection":

#RewriteCond %{HTTP_REFERER} !^$  <-- allows browser "command line" access if uncommented
RewriteCond %{HTTP_REFERER} !^http://(www\.)?YourSite\.com(/)?.*$     [NC]  <-- add more lines for subdomains, etc.
RewriteRule .*\.(jpg|jpeg|gif|png|bmp)$ - [F,NC]

Be aware that this won't stop anyone from planting hacked images in the directory, just keep anything but your site from displaying them.

 

 

If I add that top section of code you posted to his .htaccess file, the header logo and some of the infobox images disappear from the site. They are png and gif images.

 

The same thing happens for example, if you .htaccess the images director with a password. The product images still show, but it kills the header logo, infobox images and some other main page images.

 

Mind if I ask why? What did we do wrong or what might we have setup wrong.

 

Also, here is another question. On another site I have, also OsCommerce, I have NO .htaccess file in my images folder and if you try to browse to www.my_site_here.com/images, it's just blank, you can't see any of the images in the folder. However, if I add an .htaccess file, with say, um that code that keeps you from running code, my images director instantly becomes displayed, delete the htaccess, it hides it again.

 

Another thing that puzzled me.

 

Just doing some testing and comparing between various sites here. Like i said, I don't know much about the htaccess files, still learning. =)

 

Thank you very much for the help btw. :)

[MrPhil]

It could be that your server is configured a bit differently than usual. There's several different threads going on here, each of which you may have to work with your hosting service on, as they're most familiar with your server.

 

1) scripting code hidden in image files -- removing the PHP (and other) handlers via this .htaccess in the images directory should keep embedded scripts from running. Of course, a better solution is to reload the images with fresh copies from your PC, so they aren't hacked in the first place. I'm not sure exactly what the <Files> section is doing -- you could try commenting it out and see how the behavior changes.

 

Banning executable scripts in images is not normally unnecessary, unless you permit users to upload their own images (e.g., forum/blog avatars). If you control your image files, you should have clean copies on your PC and should be able to overwrite all the images that might be hacked.

 

2) not letting other sites (or users from a browser) look at your image files from outside your site -- that's "hotlink" protection. The .htaccess fragment I gave checks if the referring site is yours (or any other one on the "whitelist". If not, any image reference gets deep-sixed. Your host may have a different way to do this that they prefer you use.

 

3) random Web citizens going to your image directory and browsing your files -- you want to "turn off indexing". This can be done with an .htaccess entry such as Options -Indexes, which if in your root .htaccess will prevent listing any directory that lacks an "index.*" file. Many control panels have a button to do this for you. Or, you can add a dummy index file to such directories -- just an empty index.html, or one that says "Move along folks, nothing to see here" or "You lookin' at me? I said, you lookin' at ME?". Use your imagination.

 

You're probably best off working with your hosting service to address these three areas, in a manner which they approve of (they know your server configuration best).

[chadcloman]

I don't know why that was done. It seems to be saying that "anyone can see /403.shtml" (one of the Error Documents). Unless there was some code before that was restricting access to /403.shtml (among other files), I don't see why they would need to do that.

 

This is done so that the IP addresses that are denied access (which are assumed to be spammer/hacker IPs) will be able to see the "403 Forbidden" page that's served up by Apache when access is denied. Not doing this can cause infinite loops, as Apache will try to serve up the error page, which will be forbidden, which will cause it to try and serve up the error page, and so on.

 

I don't believe this is necessary if you don't have a custom 403 page.

 

.

[chadcloman]

If I add that top section of code you posted to his .htaccess file, the header logo and some of the infobox images disappear from the site. They are png and gif images.

 

The thing is, you -need- to give everyone read access to the images in your image file, or they won't be displayed. And the <Files *> ... </Files> code that MrPhil gave you will deny all access to the images for anyone on the web. Here's what I use to protect my image directory (note that it assumes the default, "Order Deny,Allow"):

 

php_flag engine off

<Files ~ "\.(php.*|s?p?html|cgi|pl|exe)$">
deny from all
</Files>

But there's benefit in also including MrPhil's line:

 

RemoveHandler .php .php3 .phtml .cgi .fcgi .pl .fpl .shtml

 

.

[chadcloman]

I'm thinking something like this might actually work better (for an .htaccess file inside the images directory):

 

php_flag engine off
Order Allow,Deny
Deny from all
<FilesMatch "\.(gif|tiff?|jpe?g|png)$">
 Allow from all
</FilesMatch>
RemoveHandler .php .php3 .phtml .cgi .fcgi .pl .fpl .shtml

 

.

[MrPhil]

The idea is that hackers have actually hidden scripts (such as PHP) inside your image files. When that "image" is displayed, it runs code. The intent is to disable the various engines that run script code, within that directory. I know that SMF recently faced this problem, and part of the solution was to add an .htaccess file to the image directory to "remove handlers" and apparently do some other stuff that may or may not work on your particular server.

[johnnybebad]

okay so what should I be trying in the mage directory first and if it doesnt work what should I do and how do i know if its working?

 

Just getting a little lost

[tfoolen]

All,

 

Same problem with the images-hack. Only thing is that -by using the htaccess thing- the lightbox images don't open anymore.

 

Any ideas anyone?

 

Ciao,

Tom

[SLiCK_303]

osC v2.3.1 has a .htaccess file in it's image folder, as far as I know earler versions do not. I suggest everyone take 2.3.1's images/.htaccess file, and place it into your images folder...