Index.php in uploads directory - Wordpress - wordpress

I have a plugin on a Wordpress site called WP Security, most of the stuff it does is easy to use and understandable, the changes it suggests like not have default 'WP_' prefix for databases etc.
One of the things it highlights is: The index.php file was not found in the uploads directory! You should create one in order to prevent directory listings.
So can anyone tell why preventing directory listings is good and do I need to put anything in the index file, and if so what code do I need to put in? Finally what is the importance of the index file in website I don't really get this part of web design? I have read it has to be there to make site visible to browsers but why is this, why can't browsers just use the URL with no index page?
Thanks for suggestions
Andrew

Yes, blocking directory index is a good idea in web apps. The index.* file is interpreted by web server instead of providing standard directory listing. Creating an empty index.* file is ony one (although the easiest and compatible with all(?) http servers) way of blocking users from viewing the contents of the directory. Another way is to configure webserver to not serve the directory index. In Apache this can be done in the .conf file with
Options -Indexes
in the <Directory> clause. Or you might tell apache to:
AllowOverride All
And create a .htaccess in the directory containing:
Options -Indexes
line.

Yes creating index.* file is really necessary to protect your asset as absence of index files shows whole directory structure and listed assets.
Easiest way to create an index.php file with simple coding.

Related

is it possible to find hidden files on website?

If I'm hosting a website, say at http://www.example.com, how can I find files that are in the same folder as index.html if I DON'T know the filenames?
So for example, if there are these files in there:
http://www.example.com/test.txt
http://www.example.com/test1.txt
Can anyone see this list of files? If so, how can I hide them, but make each one accessible to someone who knows the names? I don't want to use a password system, if possible.
If you put index.html in that directory, so no files will be listed. If you allow to upload to that directory, so i can upload some php script to list all files in directory. IF you don't know file name, you can try to guess it :)
You can use bruteforce tools such as dirbuster, or you can look at the "/robots.txt" file for some clues on what's on the website.
By the way, you should keep in mind that most of web servers nowadays have rights management implemented, so even if there is such file on the server it may not allow you access to it without authentication.
Some hosting providers provide an option to specify whether directory listings are allowed. If enabled, and a client requests a URL for a folder that does not contain a default HTML file (index.html, default.html, default.aspx, etc), then the web server will serve up an HTML file containing a listing of the files in that folder. It is rare that this option is ever enabled, though.
but you should be accurate while inserting names of files in URL or else you can use pen-test tool which will list out some of the names for free.for attempts ot full listing of files you'll need to be a paid member i guess

How to protect /sites folder recursively?

I want to protect /sites (recursively up to files folder or up to the last folder) so that anonymous users will not be able to download any files from there.
I've checked the .htaccess file (under /sites) and it should prompt 404 error for anonymous access, but this is no happening, instead it display all files and folder under /sites.
What should be added/changed in the .htaccess file?
For any anonymous access it should prompt users for a 404 error but unluckily this is not taking place.
Please advise what to add in the .htaccess file (or other approach) to protect /sites folder recursively.
I hope I have drawn my issue clearly. Looking forward for a solution.
D7 / Centos 6
First, you need to prevent Apache to list files (directory listing):
http://www.thesitewizard.com/apache/prevent-directory-listing-htaccess.shtml
Secondly, you need to enable Private file storage in Drupal 7:
a) https://drupal.org/documentation/modules/file
b) http://openconcept.ca/blog/mgifford/setting-drupal-7s-private-file-system
Please remember, that Apache doesn't know about Drupal file permissions and it will serve any file unless you tell it not to (with some exceptions).

Drupal Export of Site Not Working For Subdirectory Levels Beyond Root Directory

I have to move an existing Drupal site from one server to another. I've done so by doing a mysql database export/import and copying over the files to the new server. On the new system, the root page comes up fine but if I try to go to any deeper directory levels I get a 404 Not Found Error.
so drupal.newserver.com -> works fine
but drupal.newserver.com/user -> gives me a 404 and happens,same for all subdirectories
Is there something that I'm missing that is part of a drupal export? Could it be related to the structure of the /sites directory which is under the webserver's docroot?- which has a folder named after the old server (ie drupal.oldserver.com but not drupal.newserver.com? Also, I noticed that there are _htaccess files and .hta files but not .htaccess files in the site files that I've copied over.
Sorry if I'm asking a bleedingly obvious question - I'm very new to Drupal. Thank you!
Check whether the clean url is enabled in your web server. To check try this:
drupal.newserver.com/?q=user.
Just to let anyone who might come across via a google search - I was able to get this to work . It turns out that while mod_rewrite was enabled, what I had to do was to enable the AllowOverride directive for the web directory in httpd.conf to be set to ‘All’. If it’s not set to this, the server won’t respect the .htaccess rules you put into the drupal directory. It’s been a while since I’ve worked with apache config files so it took a while to finally piece it together. The main breakthrough came when I realized that if I turned off clean-urls then the links worked but looked ugly and then was able to research clean_url.

moving a Drupal installation - what configuration changes required?

I would like to move a test Drupal installation from
/opt/lampp/htdocs/corporate/internet
to
/corporate/internet
What corresponding changes changes do I have to make in .htacess, settings.php and/or other settings?
That depends on that how your sites/ directory is set up. If you just have a default directory within, they you really should be good to go.
Mostly, you don't have to make changes. This is because Drupal installations tend to be set up to use relative paths that will be valid no matter where in the system it is. You may want to do a quick search of any custom code for the string /opt/lampp/htdocs to see if someone didn't do something relatively, but any other contrib code should work fine.
As Jubal mentions, sites set up in the sites directory may need renaming if you're going to be using a different URL to access the site - if you're moving from devel.site.com to www.site.com, and you have a sites/devel.site.com directory, then you're probably going to want to copy that directory to sites/www.site.com. On the other hand, if you're using sites/default for your site, or if you're not changing the url at all, then this isn't a problem.
Do note that the .htaccess in the root directory of Drupal is very important for Drupal to work, and that doing a simple cp -R of the directory will not copy the .htaccess, so make sure you copy that. (.htaccess files in sub-directories, like sites/default/files, will be fine, it's just this one in the root.)
And finally, check your file permissions after you move the files. You'll especially want to make sure that the file permissions for the files and tmp directories are correct so that people can properly upload files. (This may not be important - but it's something to check nonetheless.)

2 drupal instances trying to access same set of files

I have set up 2 drupal instances pointing 2 codebase with a common database
www.abc.com points to folder /var/www/abcfolder
mywww.abc.com points to folder /var/www/mywwwabcfolder
The content is uploaded via mywww.abc.com and www.abc.com is used for general viewing. I have used domain access module where mywww.abc.com is an alais to mywww.abc.com
I want that all the files that are uploaded should be maintained in a common folder i.e. in /var/abcfolder/public/sites/all/files for both urls
I tried changing the file system path via admin/file-system to ../../abcfolder/public/sites/default/files since the path should be relative to the drupal installation folder. However on uploading a file, I get a file not found error.
Any help to resolve this issue would be appreciated?
Should I change the htaccess file in any one of the codebase? If yes, what should the change be?
Regards,
Loveleen
How about trying this:
Store the files in /var/www/abcfolder/sites/default/files. Create a symbolic link from /var/www/mywwwabcfolder/sites/default/files to /var/www/abcfolder/sites/default/files
Look up symbolic links in linux if you don't know what they are. If you're using windows you can still do symbolic links but they are more complicated.
[BTW I am not sure why you are doing this complicated setup. Reconsider using domain access unless you really need to. Is it necessary to have two sites like this? ]

Resources