Question on htaccess file content

[ggrant3]

I backed up my site a few days ago, before I tried to add a contribution. After having an issue with the contribution not working correctly I decided to go back to my original (backed up) files.

 

So I overwrote the files that I had to modify for the contribution with the backed up files I have and now I am having an issue with my htaccess file.

 

I narrowed it down to 1 section of code in the htaccess file that is crashing my entire site.

 

If I have:

 

<Files *.php>

Order Deny,Allow

Deny from all

</Files>

 

in the beginning of my htaccess file the site will not load. But if I remove that above section of code the site loads fine.

 

Now again, I had the full htaccess file with the above code working fine before. Like I said I pulled the code from the backed up htaccess file that was working fine a few days ago. But now it doesn't like that section of code.

 

Any ideas why it would have worked before but not now?

 

It isn't even like I copied and pasted the code from the file and might have left something out, because I just overwrote the actual file.

[♥mdtaylorlrim]

 

If I have:

 

<Files *.php>

Order Deny,Allow

Deny from all

</Files>

 

That's a good piece of code to have in your images directory. It will keep anyone from running php scripts in the images directory.

 

Is it possible you copied the wrong .htaccess to your root?

[ggrant3]

That's a good piece of code to have in your images directory. It will keep anyone from running php scripts in the images directory.

 

Is it possible you copied the wrong .htaccess to your root?

 

I have cheked a few times and the file I am using is the same location.

 

Would I be okay leaving out this code?

 

<Files *.php>

Order Deny,Allow

Deny from all

</Files>

 

Also, I don't have any htaccess file in my images folder. Are you saying that I should? What about my admin/images folder, so i have an htaccess file in there too?

 

If so, what should be in it just the above code?

 

And does it look like the above code is wrong at all? I tried it with a space after the "," before "Allow" and it still crashed the site, so I just don't know if I should leave it out or what could be so wrong with that piece of code now.

[♥mdtaylorlrim]

I have cheked a few times and the file I am using is the same location.

 

Would I be okay leaving out this code?

 

<Files *.php>

Order Deny,Allow

Deny from all

</Files>

You MUST leave out this code if you want people to be able to execute php files.

 

Also, I don't have any htaccess file in my images folder. Are you saying that I should?

Absolutely. THAT is how you can prevent hackers from running php code in your images directory if thay manage to get a hacked file in there, which is a favorite place to hide a php script.

 

What about my admin/images folder, so i have an htaccess file in there too?

 

If so, what should be in it just the above code?

Probably not necessary, if you have your admin directory tree password protected with an .htaccess file. And you should not even have an admin directory. Hopefully you followed directions and renamed that directory.

 

And does it look like the above code is wrong at all? I tried it with a space after the "," before "Allow" and it still crashed the site, so I just don't know if I should leave it out or what could be so wrong with that piece of code now.

That piece of code prevents the execution of any php file. Unless it was not correct then it should not have allowed your site to run, as it is not running now.

[ggrant3]

You MUST leave out this code if you want people to be able to execute php files.

 

It is just a standard store type setting so I don't see any reason for anyone to need to run a php script.

 

 

Absolutely. THAT is how you can prevent hackers from running php code in your images directory if thay manage to get a hacked file in there, which is a favorite place to hide a php script.

 

Okay so i can just make a file called htaccess in my root images folder and have that piece of code in it, right?.

 

 

Probably not necessary, if you have your admin directory tree password protected with an .htaccess file. And you should not even have an admin directory. Hopefully you followed directions and renamed that directory.

 

Yes I already renamed my admin section. In regards to password protection I set up password protection through my cpanel. I don't know how to do it with an htaccess file. Should I use htaccess for my admin section or is password protection through the cpanel secure enough?

 

 

That piece of code prevents the execution of any php file. Unless it was not correct then it should not have allowed your site to run, as it is not running now.

 

I just don't understand why it was running before and not now. I have made my self go nuts verifying that it is what was there before adn that it is the correct htaccess file and that I am not missing something.

 

So if I leave it out of this root htaccess file and I operate a store type setting would it leave me vulnerable at all because that one piece of code is left out?

[♥mdtaylorlrim]

It is just a standard store type setting so I don't see any reason for anyone to need to run a php script.

osCommerce is composed of php scripts. For them to see your site the scripts must be able to run. But only in directories where they are meant to be.

 

 

Okay so i can just make a file called htaccess in my root images folder and have that piece of code in it, right?.

The file must have a period in front of it. But yes, that is correct. Could that be the reason it was not working before?

 

 

Yes I already renamed my admin section. In regards to password protection I set up password protection through my cpanel. I don't know how to do it with an htaccess file. Should I use htaccess for my admin section or is password protection through the cpanel secure enough?

Creating a proper .htaccess file is what cPanel will do to protect the directory. You can only do it by hand if you know the right commands and have command line access.

 

I just don't understand why it was running before and not now. I have made my self go nuts verifying that it is what was there before adn that it is the correct htaccess file and that I am not missing something.

Nor do I. Unless you missed the period in front of the htaccess as suggested above. If I am wrong I hope someone would have spoke up by now.

 

So if I leave it out of this root htaccess file and I operate a store type setting would it leave me vulnerable at all because that one piece of code is left out?

No, it does not make you vulnerable in directories where people are expected to point their browser to and access a php file. But in directories that one is NOT expected to directly access a php file, like the images directory, this file will prevent the execution of a php file. Like one placed there by a hacker.

[chadcloman]

I narrowed it down to 1 section of code in the htaccess file that is crashing my entire site.

 

If I have:

 

<Files *.php>

Order Deny,Allow

Deny from all

</Files>

 

in the beginning of my htaccess file the site will not load. But if I remove that above section of code the site loads fine.

When you say it is crashing your entire site, what specifically is the error message?

[chadcloman]

Also, I don't have any htaccess file in my images folder. Are you saying that I should? What about my admin/images folder, so i have an htaccess file in there too?

Here is the .htaccess code I use for both images directories, which I got from one of the security threads:

 

<Files ~ "\.(php.*|s?p?html|cgi|pl|exe)$">
deny from all
</Files>

although I suppose you could also use something like this:

 

Order Allow,Deny
<FilesMatch "\.(gif|jpe?g|tiff?|png)$">
 Allow from all
</FilesMatch>

[Mort-lemur]

Hi,

 

If you have :

 

<Files *.php>

Order Deny,Allow

Deny from all

</Files>

 

In the root .htaccess file, this will stop any php file from running. As OSC is a PHP programme, then that line of code will STOP OSC from working, as it is denying any file with a .php suffix.

[ggrant3]

When you say it is crashing your entire site, what specifically is the error message?

 

Well it would let the home page load, but if anything else was clicked on (category, product, or any other link) it would say file not found.

 

But what was so puzzling to me was that I copied what was already there (and working) last week. Nothing in that file had changed (except for the modification to the code from the contribution that I aborted which is why I was going back to the backed up file/code). So I just could not understand why what worked before was not working now.

 

But I guess if that mess didn't happen I might not have seen the info about protecting the images folder(s). I have gone through the security FAQ's but must have missed the images folder .htaccess info.

[ggrant3]

Thank you for your help everyone. Everything is fine once again.

 

Plus I ended up adding the .htaccess file to my root images folder and my admin/images folder

[ggrant3]

Just noticed something.

 

I logged into my admin section and as soon as I got there I was greeted but a bunch of the stolen.gif images.

 

I could not figure out what was happening so I did some searching around here and found that it may be related to some .htaccess code, so I figured since this topic is current I would just post the question in here.

 

Now as you guys recall I said I had my original site and .htaccess file working fine, then I backed it up before making some changes to the site , I ended up using the backed up .htaccess file to restore the mod'd one that wasn't working. And when I used the backed up (originally working .htaccess code) all of a sudden it did not work. So you guys informed me that a section of code should not be in there but nobody knew how everything was working before and not now.

 

Well guess what it is happening again now, but with a different section of code.

 

I had to comment the code out in order to stop the stolen.gif image from taking over my admin section.

 

This is the code I had to comment out:

 

 

stop hotlinking (gif/jpg) and serve alternate content

 

<IfModule mod_rewrite.c>

 

RewriteEngine on

 

RewriteCond %{HTTP_REFERER} !^$

 

RewriteCond %{HTTP_REFERER} !^http://(www\.)?mysite\.com/.*$ [NC]

 

RewriteRule .*\.(gif|jpg)$ http://www.mysite.com/images/stolen.gif [R,NC,L]

 

</ifModule>

 

With that above code commented out the admin section is now back to normal.

 

Any ideas what is going on with this code? Does it look okay? Because just like before the site was running fine and now using that code causes an issue.

[♥mdtaylorlrim]

Of course...your code is rewriting the URLs as if the images are in the /catalog/images folder, not the catalog/admin/images folder.

 

Just leave out that entire section of code in the .htaccess file in your admin section. Your password protection to the admin directory is sufficient to prevent access to ANY sub-directory of your admin directory.

[ggrant3]

Of course...your code is rewriting the URLs as if the images are in the /catalog/images folder, not the catalog/admin/images folder.

 

Just leave out that entire section of code in the .htaccess file in your admin section. Your password protection to the admin directory is sufficient to prevent access to ANY sub-directory of your admin directory.

 

That code is from the .htaccess file in my root though, not the admin side. Would it be bad idea to leave that section of code out of the .htaccess file in my root?

[♥mdtaylorlrim]

That code is from the .htaccess file in my root though, not the admin side. Would it be bad idea to leave that section of code out of the .htaccess file in my root?

Ok, I mis-read your post so just ignore my last and let us think about it a little.

 

Is your admin section protected by SSL? If so that is likely the reason. But let us look at it a few minutes.

[♥mdtaylorlrim]

Ok, rewriting is not my strong suit so hopefully someone else that does it often will chime in. I do see that it is using "mysite.com" which will never work... if you substituted that then what else did you change. Can we see it exactly like it is or do you just not want us to know your site?

[ggrant3]

Ok, I mis-read your post so just ignore my last and let us think about it a little.

 

Is your admin section protected by SSL? If so that is likely the reason. But let us look at it a few minutes.

 

Yes the admin section is protected by SSL

 

I do see that it is using "mysite.com" which will never work... if you substituted that then what else did you change. Can we see it exactly like it is or do you just not want us to know your site?

 

No I just list it as mysite.com because I hardly see anyone post there actual site, figured it was another precautionary type thing. Shouldn't matter though since I have my admin section renamed and password protected via .htaccess, right?

[♥mdtaylorlrim]

Yes the admin section is protected by SSL

Then that is exactly what is causing it.

 

Note the rule in the .htaccess file again.

 

RewriteCond %{HTTP_REFERER} !^http://(www\.)?mysite\.com/.*$ [NC]

 

This is saying that if the request for the image does not come from "http://www.mysite.com" then.... rewrite to the stolen image pic.

 

But, in the admin side the request is coming from "https://www.mysite.com" so therefore it displays the stolen image pic. What you need to do is change the condition to allow from either http or https. And since I am not well versed in rewrites this may be way wrong....

 

RewriteCond %{HTTP_REFERER} !^(http|https)://(www\.)?mysite\.com/.*$ [NC]

 

 

Maybe that will work, maybe not. If not then someone that does it regularly can give it to you correctly.

[ggrant3]

Then that is exactly what is causing it.

 

Note the rule in the .htaccess file again.

 

RewriteCond %{HTTP_REFERER} !^http://(www\.)?mysite\.com/.*$ [NC]

 

This is saying that if the request for the image does not come from "http://www.mysite.com" then.... rewrite to the stolen image pic.

 

But, in the admin side the request is coming from "https://www.mysite.com" so therefore it displays the stolen image pic. What you need to do is change the condition to allow from either http or https. And since I am not well versed in rewrites this may be way wrong....

 

RewriteCond %{HTTP_REFERER} !^(http|https)://(www\.)?mysite\.com/.*$ [NC]

 

 

Maybe that will work, maybe not. If not then someone that does it regularly can give it to you correctly.

 

 

Okay I see, I'll give it shot.

 

It is just so damn weird because I have had the SSL on for months now and both of these issues (in this thread) appeared with code that was already working. That is what really puzzles me. I could completely understand if the code was bad from the beginning and causing issues, but for it to work and then not work with no changes anywhere else is just confusing.

[ggrant3]

Success!

 

Thank you again for your help with these issues.

[♥mdtaylorlrim]

Okay I see, I'll give it shot.

 

It is just so damn weird because I have had the SSL on for months now and both of these issues (in this thread) appeared with code that was already working. That is what really puzzles me. I could completely understand if the code was bad from the beginning and causing issues, but for it to work and then not work with no changes anywhere else is just confusing.

Well your host has the ability to decide which directives may and may not be used in an .htaccess file. It could be they had that turned off. Maybe an upgrade to apache reset the options to allow it without them realizing it.

 

I've been doing linux administration for a lot of years and I still get baffled on a lot of things. Although I have been doing it for years I have not needed to do things constantly so my CRS disease kicks in an I have to look things up quite often. Once you get a server running just like you want it it will run fine for years...then all of a sudden you do an upgrade and it's back to the books...