.php and ajax script protection

Fix it!!

.php and ajax script protection

Postby rakusu » Tue Dec 11, 2007 11:55 am

Hey,

I'm trying to set up mod_rewrite for my site and have a few questions.

I have rewritten URLs so that they are easy to read and understand. I would like to have a rule that would redirect someone trying to directly access php scripts to an error page. For example, going to www.domain.com/blog/ will show blog.php, but when the user tries to go to www.domain.com/blog.php, they will be sent to www.domain.com/error/.

RewriteCond %{REQUEST_URI} .php
RewriteRule ^$ /error/ [R=301]

It doesn't work, and doesn't seem right. Any idea how this can work?

Also, I have a folder with all of my scripts that are accessed with AJAX. Is there a way to prevent access to these scripts directly as well? Maybe something like redirecting to /error/ if the request is not an XMLHTTPRequest, or is this more of a mod_access thing? I'm not familiar with mod_access though, and would appreciate any help you can give with that as well.

Thanks for your time and your help!
rakusu
 
Posts: 3
Joined: Tue Dec 11, 2007 11:45 am

Postby richardk » Tue Dec 11, 2007 2:11 pm

You can redirect to /error/
Code: Select all
Options +FollowSymLinks

RewriteEngine On

RewriteCond %{ENV:REDIRECT_STATUS} ^$
RewriteRule ^(.+)\.php$ /error/? [NC,R=301,L]

Or you can remove the .php
Code: Select all
Options +FollowSymLinks

RewriteEngine On

RewriteCond %{ENV:REDIRECT_STATUS} ^$
RewriteRule ^(.+)\.php$ /$1/ [NC,R=301,L]


I have a folder with all of my scripts that are accessed with AJAX. Is there a way to prevent access to these scripts directly as well?

I doubt it, there would have to be something unique sent in the request headers for it to know that it was an AJAX request. You could do hotlink protection type referrer checking but it is unreliable, in a .htaccess file in the directory
Code: Select all
Options +FollowSymLinks

RewriteEngine On

RewriteCond %{HTTP_REFERER} !^(http://(www\.)?example\.com(/.*)?)?$ [NC]
RewriteRule .* /error/? [R,L]
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am

Postby rakusu » Tue Dec 11, 2007 5:28 pm

Hi richardk,

Thanks a lot! That worked well for protecting the php scripts.

An example of what I'm trying to do for protecting the ajax scripts is on reddit.com. Using firebug, you can see that voting on an article makes an ajax request to http://reddit.com/api/vote. But, when you navigate to that link, you see a 404 page not found page. I'm trying to figure out how this is done. Any help is much appreciated!
rakusu
 
Posts: 3
Joined: Tue Dec 11, 2007 11:45 am

Postby richardk » Wed Dec 12, 2007 1:12 pm

I get a blank page when i access the reddit vote link (with a 200 header, not 404). They probably don't output anything unless variables are sent too.
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am

Postby rakusu » Wed Dec 12, 2007 4:30 pm

Hmm that's very strange. In Camino I get reddit's custom 404 not found page, but in firefox I get the blank page.

Thanks for your help!
rakusu
 
Posts: 3
Joined: Tue Dec 11, 2007 11:45 am

Postby himanmod » Mon Dec 22, 2008 2:05 am

richardk wrote:You can redirect to /error/
Code: Select all
Options +FollowSymLinks

RewriteEngine On

RewriteCond %{ENV:REDIRECT_STATUS} ^$
RewriteRule ^(.+)\.php$ /error/? [NC,R=301,L]

Or you can remove the .php
Code: Select all
Options +FollowSymLinks

RewriteEngine On

RewriteCond %{ENV:REDIRECT_STATUS} ^$
RewriteRule ^(.+)\.php$ /$1/ [NC,R=301,L]


I have a folder with all of my scripts that are accessed with AJAX. Is there a way to prevent access to these scripts directly as well?

I doubt it, there would have to be something unique sent in the request headers for it to know that it was an AJAX request. You could do hotlink protection type referrer checking but it is unreliable, in a .htaccess file in the directory
Code: Select all
Options +FollowSymLinks

RewriteEngine On

RewriteCond %{HTTP_REFERER} !^(http://(www\.)?example\.com(/.*)?)?$ [NC]
RewriteRule .* /error/? [R,L]

hi,
i just tried all the above to remove the .php extention and prevent anyone to use the .php extention on my site. but it doesn't work. it always shows NOT FOUND page,
i'm only using this code to remove the .php extention from my URLs regarding if they are somepage.php or somepage.php?action=something

Options +FollowSymLinks
RewriteEngine on
RewriteRule ^(([^/]+/+)*[^\.]+)$ $1.php
Code: Select all
himanmod
 
Posts: 3
Joined: Mon Dec 22, 2008 1:28 am

Postby richardk » Mon Dec 22, 2008 4:09 pm

i'm only using this code to remove the .php extention from my URLs regarding if they are somepage.php or somepage.php?action=something

What's supposed top happen when people go to somepage.php?action=something?

Do you have some mod_rewrite already?
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am

Postby himanmod » Mon Dec 22, 2008 8:57 pm

richardk wrote:
i'm only using this code to remove the .php extention from my URLs regarding if they are somepage.php or somepage.php?action=something

What's supposed top happen when people go to somepage.php?action=something?

Do you have some mod_rewrite already?


my .htaccess file just has these three lines of code (i'm not good at Mod-rewite)
Code: Select all
Options +FollowSymLinks
RewriteEngine on
RewriteRule ^(([^/]+/+)*[^\.]+)$ $1.php


what to make to prevent any use of php extention in the URLs and redirect it as wrong page?
himanmod
 
Posts: 3
Joined: Mon Dec 22, 2008 1:28 am

Postby richardk » Tue Dec 23, 2008 9:08 am

You want is PHP files to show a 404 error?

Try
Code: Select all
Options +FollowSymLinks

RewriteEngine On

RewriteCond %{ENV:REDIRECT_STATUS} ^$
RewriteRule ^.+\.php$ /404 [L]
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am

Postby himanmod » Tue Dec 23, 2008 5:02 pm

richardk wrote:You want is PHP files to show a 404 error?

Try
Code: Select all
Options +FollowSymLinks

RewriteEngine On

RewriteCond %{ENV:REDIRECT_STATUS} ^$
RewriteRule ^.+\.php$ /404 [L]


it doesn't work. instead this code shows the 404 error page and still able to use the .php!!

with this code it works fine( RewriteRule ^(([^/]+/+)*[^\.]+)$ $1.php) but don't know how to show the 404 page in case of using the .php ext'
himanmod
 
Posts: 3
Joined: Mon Dec 22, 2008 1:28 am

Next

Return to Security with Mod_Rewrite

Who is online

Users browsing this forum: No registered users and 4 guests

cron