stk wrote:

...

Just for fun, I tried to do the same at Whoo's site. (I know she's pretty good with security issues).

In one instance, I got a blank screen, but in the other two, I got (what I assume is) a customized 403 error message? Some 'blue screen 'o death' thing that redirects me to the index.

How is this done? Can anyone point me to a good article or tutorial on this topic? (I looked thru these boards on "hiding AND directories" and on the 'net for "site security hiding directories", "setting directory permissions", etc., but can't seem to find anything germane.

Doesn't the directory permissions determine if files contained WITHIN can be accessed and don't these have to have World (Anonymous/Everyone) Read access in order for things to run. And if World has access to read, the directory has to be read for everyone and blam ... anyone can see the files if they point to the right directory?! Whew ... that was long. ;)

hehe, thanks, im flattered :)

blank file == you were looking in a directory with used for images or perhaps plugins, . what you saw was a blank index.html (or similar file)

the blue screen o' death == custom 404/403 message

as a rule, any directory traversal is bad. its also annoying to check your logs and see that someone has done it. It reminds me of someone rummaging through the glove box of your car in the middle of the night.

therefore ...

here are a cpl decent tutorials >
http://thunder.prohosting.com/~sampieri/freefaq/g_htaccess.shtml
http://www.evolt.org/article/A_Cheesy_htaccess_Tutorial/18/226/

first thing I do:

dont use indexing. dont use fancy indexing

if you have this line:

Options Indexes

in your .htaccess. remove it.

Instead, I have this line:

DirectoryIndex index.html index.php index.cgi

and all of my directories have a blank index.html or similar page that is shown if you attempt to traverse a diectory. Mind you I dont use a _main.php -- you will obviously want to include that in your .htaccess

Most good web apps have this covered .. and include placeholder index.html files for certain dirs within the downloaded archive.

those tutes also cover how to set up your own error pages. :)

to answer your larger question about things being world readable -- no, directorys do not, and should not need to be world readable for things to work. Apache runs with enough priviledge already to be able to read, and usually, write whatever it needs. Under normal circumstances, directories that contain your basic web browsable files, only need to be chmod'd to 644, though are usually chmod'd to 755 at creation.

hope that helps :)

whew that was longer.

Thanks Whoo.

Reading the .htaccess tutorial now.

We just got our domain name at the New Year. Our .htaccess (only one, at the top level dir) is pretty thin. I've only added Xbit Hack and a line to parse htm,html files for php.

Weird timing: we just got our first comment spam last night (and the HTML checker was OFF, at the time ... because of recent problems with it gaging on [url=http://forums.b2evolution.net/viewtopic.php?t=3393]Invalid URLs[/url] - forgot to turn it back on ... :oops: ).

So ... I'll be boning up on site security & comment spam today. If you've got any pointers there, they would be appreciated. (I know there's been some discussion on the topic of late, so I'll be reading those posts with a newly-found interest).

Too bad there aren't sections in the b2evo doc that cover such things. Though they aren't often the FIRST questions that new b2evo users ask ... it is something that affects ALL b2evo users. It would help spread the word about running a tight ship.

Thanks again for providing those links and the information. :) Be flattered.

-stk

PS - If I'm not mistaken, 644 IS world "read" access ... read across the board (owner, group AND world) (My 'Smart' (?) FTP program won't let me chmod a directory - or even VIEW its permissions ... and the ls -a command isn't recognized. Aarg. What kind of unix is this? Maybe I'll have to read the doc. ha ha ;) )

Seems the simplest method is to use:

Options -Indexes

which yields an HTML error 403 (and which, as you say, can be customized) for any directory NOT containing an index.*(?) file.

[This doesn't require an blank index.htm in every directory. (Apache doc says DirectoryIndex is defaulted to index.html and our index.php seems to be picked up fine, without the explicit specification)].

Thanks for the info Whoo!

stk wrote:

Seems the simplest method is to use:

Options -Indexes

which yields an HTML error 403 (and which, as you say, can be customized) for any directory NOT containing an index.*(?) file.

[This doesn't require an blank index.htm in every directory. (Apache doc says DirectoryIndex is defaulted to index.html and our index.php seems to be picked up fine, without the explicit specification)].

Thanks for the info Whoo!

yes that will work, just remember if you have any dirs you want specifically to have another defualt page, you'll need to change ..

I'm a simpleton. I just made up an "index.html" file for each directory I don't want you (nothing personal there eh?) snooping around in. http://wonderwinds.com/skins/WonderWinds/ illustrates the point. Notice the page title ;) It's like 86 bytes.

Dork, eh? :lol:

If you're feeling particularly lonely, you can stick this php code in your file and find out Whoo's been naughty. (sorry Whoo, couldn't resist ;) )

<?php 

$ip = getenv ("REMOTE_ADDR"); 

$requri = getenv ("REQUEST_URI"); 
$servname = getenv ("SERVER_NAME"); 
$combine = $ip ." hit ". $servname . $requri ; 

$httpref = getenv ("HTTP_REFERER"); 
$httpagent = getenv ("HTTP_USER_AGENT");

$today = date("D M j Y g:i:s a T"); 

$message = "<h2>Dork</h2>";

$message2 = "$combine \n 
$today \n 
User Agent = $httpagent \n
Referrer = $httpref \n 
$note \n ";

$to = "yourself@yoursite.com"; 
$subject = "Directory Snoop"; 
$from = "From: youself@yoursite.com\r\n"; 

mail($to, $subject, $message2, $from); 

echo $message; 
?> 

Tell them EXACTLY how you feel and bag some information (via an automatic email to yourself) about their snooping behavior.

Cheers. B)

no problem. its been done before :)

stk: What file does that code get put into?

jj.

Hey JJ

You put it in your custom 404 error file, specified by the line

errorDocument 404 /relative/location/of/your/404.php

in your .htaccess file (for which ever set of folders for which you want this 404 file to apply).

(It works kinda like CSS ... put it in your root directory & it will affect every folder below that. You can override a particular folder by specifying ANOTHER .htaccess file and 404.php, which will supercede the set higher up. Last command wins kind of thing.)

Does this explanation make sense?

Cheers,

stk

Yes, it does. I've put that code into a 401test.php file and tried to load it directly in my browser. I get the following error:

Parse error: parse error, unexpected T_VARIABLE in /full/path/to/401test.php on line 16

Any idea what might be causing this? It seems to be this line of code:

 $message2 = "$combine \n 

jj.

Not sure why yours fails when mine doesn't. Might be the difference in server type (UNIX/Linux) or software (Apache -vs- ???)

Anyway ... you could try changing the code, as honestly, I'm not all that familiar with that syntax "\n=newline"...

try:

$message2 = $combine.'<br />'.$today.'<br />User Agent ='.$httpref.'<br />'.$note;

which is another way of writing the same thing.

If that fails ... just shorten $message2 to just one variable and see if the rest works. If it does, it's just a matter of figuring out the proper syntax to amalgamate the variables into their own separate lines.

I've been finding that the Referrer is generally void of information.

Hope this helps.

-Scott

Actually, in your code above, is that an unclosed quote in line 14?

$message = "<h2>Dork</h2>

jj.

No way man! (Look again) ;)

Good catch (and that's not all it was missing). :oops: (See what happens when you try to change chit on the fly? ... I actually changed the orig code to DORK, for EdB's benefit ... since that's the title of his error page, if you right-click and view source).

Thanks for that and SORRY. Things always go much more smoothly when they're correctly formed to begin with.

Hope that's all it was.

Seems to be. I've gotten it running now, with the missing "; and am just tweaking the message and display. Thanks!

jj.

Xcellent. :D

If you come up with more valuable info that what's included here, please post back and let me know, so that I might consider adding it.

Also ... I'm on an Apache server and have been having problems getting the 404 error message to redirect properly in MSIE (works fine in FireFox), but MSIE seems to intercept the .htaccess directive and shove the 'friendly' 404 message at me, instead of my custom one.

The odd thing? THe script runs EACH time, so I know that it's picking up the file.

AND ... it doesn't happen 100% of the time. If I rapid-fire click, I get my custom message about 20% and the stupid MSIE one about 80%.

(My host -www.siteground.com- is perplexed and is refusing to do anything about it). >:-<

Just check to see if yours is working 100% of the time in MSIE and let me know. I'd appreciate it. No hurries (the problem isn't going away soon).

I'd like to know if others experience similar difficulties with the "Worlds most popular browser" *cough - sputter - gag*

Thanks.

-Scott

One little question...

I made the .htacces file with the code

DirectoryIndex index.html index.php index.cgi _main.php

And putted an index.html in my blogs/media/mymediadir

If I now type in the url bar of y browser... blogs/media/mymediadir/ I get the error message... so that works good

But when I type blogs/media/mymediadir/mypicture.jpg It still shows the picture... is this supposed to happen? or am I doing something wrong?

juzzwuzzz,

nope, thats fine -- its showing the image because the image is there. what you put in your .htaccess is meant to prevent browsing of directories (snoopers, if you will), not to prevent you from actually displaying content that you actually want to be seen :)

I found out that it also works without an .htacces. If I just put an index.html file in every directory i don't want them to snoop in. They cant see the files then. it always opens the index.html.

yep. ;)

*removed

*removed