| View previous topic :: View next topic |
| Author |
Message |
Joseph
Joined: 26 Jan 2007
Posts: 16
|
 Posted: Oct 29, 2008 3:35 am Post subject: After xtra file server install I think I may have a problem |
 |
|
I followed the instructions *** Extra File-Server Installation ***
Steps 1-3 were competed successfully
Then I run into a problem when I follow the following steps...
INFO: After installation try to open env.php which is in FileServer files folder in browser - it should show you error or source code.
If you see full path, then check that you've moved .htaccess to FileServer htdocs folder.
So I follow the instructions and type in my file server URL: http://fileserver.com/files/env.php and hit Enter.
The browser asks me if I want to Open or Save the file.
Isn't this some sort of error? There is an .htaccess in the "files" and "tmp" folders. |
|
| Back to top |
|
 |
PilgrimX182
Joined: 22 Mar 2006
Posts: 1901
Location: UFO Lab
|
| Posted: Oct 29, 2008 7:22 am Post subject: |
|
|
| So, go save it and see what's inside. If it's env.php source then it's all fine. If there's your server paths then u have possible php injection vulnerability and need to disable php execution in /files folder. |
|
| Back to top |
|
|
Joseph
Joined: 26 Jan 2007
Posts: 16
|
| Posted: Oct 29, 2008 1:07 pm Post subject: |
|
|
When I choose the Save option and open the file it displays my path.
When I choose the Open option it displays my path within my browser.
Here is the path it displays:
/home/username/domains/fileserver.com/public_html/files/env.php
How do I disable PHP execution in the /files folder? |
|
| Back to top |
|
|
PilgrimX182
Joined: 22 Mar 2006
Posts: 1901
Location: UFO Lab
|
| Posted: Oct 29, 2008 2:17 pm Post subject: |
|
|
Directives in .htaccess should do this actually.
Try these in apache config for /files/ folder:
| Code: | <IfModule sapi_apache2.c>
php_flag engine off
</IfModule>
<IfModule mod_php4.c>
php_flag engine off
</IfModule>
<IfModule mod_php5.c>
php_flag engine off
</IfModule> |
But if you disable .php,.htm,.html files in XFS Site Settings then I think you will be pretty safe. |
|
| Back to top |
|
|
Joseph
Joined: 26 Jan 2007
Posts: 16
|
| Posted: Oct 29, 2008 4:17 pm Post subject: |
|
|
| PilgrimX182 wrote: | Directives in .htaccess should do this actually.
Try these in apache config for /files/ folder:
| Code: | <IfModule sapi_apache2.c>
php_flag engine off
</IfModule>
<IfModule mod_php4.c>
php_flag engine off
</IfModule>
<IfModule mod_php5.c>
php_flag engine off
</IfModule> |
But if you disable .php,.htm,.html files in XFS Site Settings then I think you will be pretty safe. |
Oh, okay I see now. I could apply the code to the apache config. BUT if I already disable .php,.htm,.html files in XFS Site Settings the extra code is not necessary then? |
|
| Back to top |
|
|
PilgrimX182
Joined: 22 Mar 2006
Posts: 1901
Location: UFO Lab
|
| Posted: Oct 30, 2008 6:37 am Post subject: |
|
|
| Not necessary, since we won't allow executable files there. Also restrict pl,cgi,py,sh extensions. |
|
| Back to top |
|
|
|
Register
Search
Profile
Log in to check your private messages
Log in
