I have scan my site using https://www.magereport.com. I got Cacheleak vulnerability? unprotected issue. I need to know to fix this issue i have to define "location ^~ /var/ { return 403; }" , please tell me where i will add this code , if in htacess how ?
Create a .htaccess file with below content in var/, var/cache, var/session, var/backups directory of your Magento installation. It will deny any access request made to files
Order deny,allow
Deny from all
Refer to this article for implementation in Nginix server.
https://www.acunetix.com/vulnerabilities/web/magento-cacheleak
Related
I want to only provide public access to a single directory (/dist). I have an .htaccess file with the following:
Order deny,allow
Deny from all
<Directory /dist>
Order Allow,Deny
Allow from all
</Directory>
I'm trying to first deny access to all, then overwirte that directive with a allow rule for the /dist directory. However, when I try to access any file through the browser, I get the following:
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator at you#example.com to inform them of the time this error occurred, and the actions you performed just before this error.
More information about this error may be available in the server error log.
What am I doing wrong?
As #Anubhava said, Directory dirctive is not allowed in htaccess contex ,this directive is available for use only in Directory context. You can use a RewriteRule to deny access to all except /dist directory :
RewriteEngine on
RewriteRule !dist - [F]
This will forbid all incomming requests except a request for /dist.
Trying to deny access to a specific subfolder on a site.
I put an htaccess file in the subfolder with the following text:
Deny from all
But it has no effect. I also tried:
Order deny,allow
Deny from all
Wondering if there's some configuration I have to change?
I use GoDaddy for hosting.
Any help is appreciated.
I want .htaccess to selectively ignore some I.P. addresses.
I'm pushing the .htaccess file to http://modeldoc-treaties.rhcloud.com/wiki/extensions/log/ip.txt
I know that the .htaccess is being read because when it includes
deny from all
then I get the message "Forbidden".
But when I change the .htaccess file to say
deny from <my current I.P from whatsmyip>
then I'm not denied access.
Edit: after shooper's suggestion I tried (to allow just me)
Order Deny,Allow
deny from all
allow from <my.ip>
which blocks me, and also (to deny just me)
Order Allow,Deny
allow from all
deny fro <my.ip>
which allows me. So I guess the problem is I don't know what my i.p. actually is once it gets forwarded on openshift.
OpenShift has a reverse proxy in front of your application, so the ip that shows up to your .htaccess file is not the users real ip, it is stored in the x-forwarded-for header.
I think you probably need the "Order" directive as seen at http://httpd.apache.org/docs/2.2/howto/access.html.
Order deny,allow
Deny from <your current I.P. address>
Allow from all
I have copied one of my old applications and renamed it to New_application. I want to access .htaccess file that is inside the New_application folder. When I opened it with my text editor, it just showed Deny from all. I tried to open .htaccess in my old application, it showed Deny from all too. I remember I was able to edit it before but not sure what I can't now. Any thoughts? Thanks a lot.
Deny from all
is an .htaccess command (the actual content of that file you are trying to view). Not a denial of being able to edit the file. Just reopen the .htaccess file in the text viewer of choice and make the alterations as you so desire, save it, then reupload it to your folder of choice.
Though I think inadvertently you are blocking even yourself from viewing said application once uploaded.
I would do something like:
order deny,allow
deny from all
allow from 127.0.0.1
which will deny everyone but the IP in the allow from line, which you would change the IP to match your IP which you can obtain from http://www.whatismyip.com/ or similar site.
This syntax has changed with the newer Apache HTTPd server, please see upgrade to apache 2.4 doc for full details.
2.2 configuration syntax was
Order deny,allow
Deny from all
2.4 configuration now is
Require all denied
Thus, this 2.2 syntax
order deny,allow
deny from all
allow from 127.0.0.1
Would ne now written
Require local
You can edit it. The content of the file is literally "Deny from all" which is an Apache directive: http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#deny
A little alternative to #gaspĀ“s answer is to simply put the actual domain name you are running it from. Docs: https://httpd.apache.org/docs/2.4/upgrading.html
In the following example, there is no authentication and all hosts in
the example.org domain are allowed access; all other hosts are denied
access.
Apache 2.2 configuration:
Order Deny,Allow
Deny from all
Allow from example.org
Apache 2.4 configuration:
Require host example.org
I have a php file that inherits (includes) another PHP files. All inherited files are located in one folder called "includes". I want to be able to restrict any direct access to this folder. Only PHP files within the server can communicate with the files in the "includes" folder. How can I use .htaccess to accomplish such goal?
FYI, I used the following code and it did not work
Order deny,allow
deny from all
Any help would be appreciated
If you don't have the option of actually moving the "includes" folder outside of the Document Root area, and using the include_path (i.e. you can't get to it from web), then enter
deny from all
in a .htaccess directory in that directory.
However, alternative is to use a DEFINES directive to only allow access to those include programs by specific authorised files. For example, put
<?php defined('ACCESS_ALLOWED') or die('Restricted Access'); ?>
in the top of the include files, and then put
<?php define('ACCESS_ALLOWED', 1); ?>
in the programs that are allowed to include those files.
This will prevent casual GETs to those include files from running them, and will work for any web server, not just those supporting htaccess files.
in your includes/.htaccess :
Order deny,allow
deny from all
You can actually just use an index.php and pass a 404 header using header():
header('HTTP/1.1 404 Not Found', 404);
IMO, this is better than a 403, since it's like the folder doesn't exist. As for the include files, put this line above the first include/require line of the main file:
define('INCLUDED', true);
And on every file in the include directory, put this at top most part.
if (!defined(INCLUDED)) {
header('HTTP/1.1 404 Not Found', 404);
}
You can deny direct access to the folder using the following Directives in htaccess or server.config contex :
Mod-alias based solution
Redirect 403 ^/folder/.+$
This will redirect all files and dirs of /folder/ to 403 forbidden error page.
Mod-rewrite base solution :
RewriteEngine on
RewriteRule ^/?folder/.+$ - [F]
Depending on possible other options set at a higher level you may need to use:
Satisfy all
Order deny,allow
Deny from all
I ran into this when the upper directory defined basic authentication including the line:
Satisfy any
This was preventing my deny from all to take effect because the users were authenticated.