Leandro Silva wrote:
Hi,
In the company where I work, we have a windows server with apache/php
instaled with a shared folder in our network. The workers of company can put
any file on this folder to be visible at the internet through the http
protocol. We are having a problem because they can put PHP files on this
folder and these files are executed by the CGI/PHP.
I can not desinstall the PHP because I have other files at specific URLs
wich have to be executed by the CGI/PHP.
Anyone knows how to deny access to PHP pages at only one folder?
We have a Windows Server 2003 with Apache/2.0.63 and PHP 5.1.4.
Hi.
I am not a PHP specialist, and probably nobody here is because this is
an Apache forum, not a PHP one.
This is just to tell you that you may receive better information on a
PHP-specific forum, not here.
This may be a better place : http://www.php.net/support.php
But I will try.
By default, Apache does not "execute" PHP files, nor tell some PHP
run-time to execute them. The standard Apache installation does not
even contain a PHP interpreter.
So, someone added a PHP module to Apache, and also added some specific
PHP configuration instructions in your Apache configuration file. That
was done after the initial Apache installation, because (see previous
paragraph).
Probably, these PHP-specific instructions in httpd.conf (or
Apache.conf), look something like
<Files *.php>
.. run them with PHP
</Files>
That means that whenever, anywhere, Apache will find a file ending in
.php, it will ask the PHP module to run it.
That is the culprit.
You can change that in two ways :
1) remove the above, and replace it by separate instructions that tell
Apache specifically in which directories it is OK to run .php files with
the PHP module. (And do /not/ configure your network drop-down
directory that way).
Then, when Apache does find a .php file in any directory that is not
specifically configured that way, it will just treat is as a text file,
and send it "as is".
OR
2) for your network directory, specifically forbid files ending in .php
from being served at all by Apache. That would be, I think, something like
<Directory xxxx>
<Files *.php>
Order Allow,Deny
Deny from all
</Files>
</Directory>
That would have the effect that whenever someone tries to request a .php
file from that specific directory via a URL, they will get an Apache 404
Error (Forbidden).
I would recommend (1) over (2), because with (2) it is still possible
for someone to put a .php file somewhere else to which you are not
thinking right now, and have it executed.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [email protected]
" from the digest: [email protected]
For additional commands, e-mail: [email protected]
