Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
protect direct access to php files using mod rewrite
#1
It's currently possible to find out if a certain php file exist, regardless of the output.
What I'd like to point, is that it would be great to prevent direct access to php files using mod rewrite. 2 simple rules would allow only to access index.php

Code:
<FilesMatch "\.php$">
    Order Allow,Deny
    Deny from all
</FilesMatch>
<FilesMatch "index\.php$">
    Order Allow,Deny
    Allow from all
</FilesMatch>

The problem is that this solution cuts out the ability to administrate the website, because menu links in admin panel point directly to .php files.

Adding exceptions to allow rule makes it unusable.
Would you consider to change a little bit backend, to include admin php files rather than loading them directly, so htaccess could prevent direct access to all php files except index.php ?
Addons: blue business theme, Online Visitors, Notepad
Reply
#2
How about a constant set early in index.php, then have every other file check for constant before execution?
Reply
#3
herb Wrote:How about a constant set early in index.php, then have every other file check for constant before execution?
We’re doing that already. PHP files that should not be accessed directly but only through an include will die() before executing anything. But yojoe wants to make the server block those files in a way so no PHP needs to run at all.
“Don’t forget the important ˚ (not °) on the a,” says the Unicode lover.
Help us test a key change for the core! ¶ Problems with GetSimple? Be sure to enable debug mode!
Reply




Users browsing this thread: 1 Guest(s)