I want to protect /sites (recursively up to files folder or up to the last folder) so that anonymous users will not be able to download any files from there.
I've checked the .htaccess file (under /sites) and it should prompt 404 error for anonymous access, but this is no happening, instead it display all files and folder under /sites.
What should be added/changed in the .htaccess file?
For any anonymous access it should prompt users for a 404 error but unluckily this is not taking place.
Please advise what to add in the .htaccess file (or other approach) to protect /sites folder recursively.
I hope I have drawn my issue clearly. Looking forward for a solution.
D7 / Centos 6
First, you need to prevent Apache to list files (directory listing):
http://www.thesitewizard.com/apache/prevent-directory-listing-htaccess.shtml
Secondly, you need to enable Private file storage in Drupal 7:
a) https://drupal.org/documentation/modules/file
b) http://openconcept.ca/blog/mgifford/setting-drupal-7s-private-file-system
Please remember, that Apache doesn't know about Drupal file permissions and it will serve any file unless you tell it not to (with some exceptions).
Related
I've recently moved my WP site from godaddy to a physical sever using windows server 2012 R2.
But I'm having problem uploading files using the Admin panel, After uploading the file, I can see it physically on the server (wp-content\upload\2017\10)
But I can't see it on the website it self.
I can only see the file if I'm changing it permissions on the server it self.
I've changed the permissions to the folder, I gave full access to the relevant users. But still, it doesn't work for new files\pictures I'm uploading via the wp admin panel
Edit:
I've notice that every time I come to change the folder permissions the permissions under CREATOR OWNER are always empty, Is it Related ?
Thank you very much for the help
When you upload a file, PHP sends the file to a temporary directory on your server's hard drive (usually C:\Windows\Temp) and then copies it over to the proper directory. Once the file has is initially put in the temporary directory, it gets the permissions of that directory. The problem is when Windows moves that file to the proper place, it keeps the temporary directory’s permissions, which can cause access problems.
The way to fix this is to change the temporary directory to a folder within your WordPress installation, usually wp-content/upgrade.
To do this, follow these directions:
Find your php.ini file.
Find the upload_tmp_dir line, and change it to the wp-content/upgrade folder.
Browse to this folder and verify that the permissions are set properly.
You should then have the ability to properly view all your images. You'll most likely need to select all the previous selected images, and change the owner of the files to the web folder owner. Then you should be good to go!
If you can’t upload an image at all, it’s probably because you need to give the IUSR account Read/Write/Modify permission on your wp-content folder. This will allow you to upload, and do the WordPress & plugin updates.
Once you have done that, all you need to do is give the IIS_IUSRS group Read permissions on your “C:\Windows\Temp” folder.
Make sure to notice that the two permission changes you make are not for the same user/group. Give IUSR permissions on your wp-content folder and IIS_IUSRS permissions on your Windows temp folder.
Note: If you have edited your php.ini file and change the upload temp directory then you will need to give IIS_IUSRS group read permissions on that folder instead.
That should do it, or at least it worked for me.
http://chris.wastedhalo.com/2011/01/wordpress-upload-permissions-on-iis-7-fix/
I find myself coming back to this question time after time when images I add to the Media Gallery don't have the correct permissions in the WordPress Uploads folder. Since I develop WordPress sites locally, it would be a pain to set permission on the Uploads folder every time I work on a new site.
To fix this, I created a folder "C:\Websites\Temp" without messing around with permissions or security settings, etc. Then in MAMP, I edited the php.ini template of the PHP version I was using for this site, php7.3.0.ini (File, Edit Tempate, PHP). I then set upload_tmp_dir to "C:\Websites\Temp":
; Temporary directory for HTTP uploaded files (will use system default if not
; specified).
upload_tmp_dir = c:\websites\temp
and voila, no more permission issues.
Well, a few years later, found this post. Tried it. Failed.
Other solution is to assign a specific user to the site in IIS and apply the right permisions to the folder containing the site.
I have wordpress on my windows server. Pictures and files are uploading but when i trying to access these files the server showing up with
500 - Internal server error.
There is a problem with the resource you are looking for, and it cannot be displayed.
When I searched for error i found some solutions about IIS but it didn't work. Can anyone cross with this permission error? And what is the solution.
Thanks
When you upload a file, PHP sends the file to a temporary directory on your server's hard drive (usually C:\Windows\Temp) and then copies it over to the proper directory. Once the file has is initially put in the temporary directory, it gets the permissions of that directory. The problem is when Windows moves that file to the proper place, it keeps the temporary directory’s permissions, which can cause access problems.
The way to fix this is to change the temporary directory to a folder within your WordPress installation, usually wp-content/upgrade.
To do this, follow these directions:
Find your php.ini file.
Find the upload_tmp_dir line, and change it to the wp-content/upgrade folder.
Browse to this folder and verify that the permissions are set properly.
You should then have the ability to properly view all your images. You'll most likely need to select all the previous selected images, and change the owner of the files to the web folder owner. Then you should be good to go!
I have a plugin on a Wordpress site called WP Security, most of the stuff it does is easy to use and understandable, the changes it suggests like not have default 'WP_' prefix for databases etc.
One of the things it highlights is: The index.php file was not found in the uploads directory! You should create one in order to prevent directory listings.
So can anyone tell why preventing directory listings is good and do I need to put anything in the index file, and if so what code do I need to put in? Finally what is the importance of the index file in website I don't really get this part of web design? I have read it has to be there to make site visible to browsers but why is this, why can't browsers just use the URL with no index page?
Thanks for suggestions
Andrew
Yes, blocking directory index is a good idea in web apps. The index.* file is interpreted by web server instead of providing standard directory listing. Creating an empty index.* file is ony one (although the easiest and compatible with all(?) http servers) way of blocking users from viewing the contents of the directory. Another way is to configure webserver to not serve the directory index. In Apache this can be done in the .conf file with
Options -Indexes
in the <Directory> clause. Or you might tell apache to:
AllowOverride All
And create a .htaccess in the directory containing:
Options -Indexes
line.
Yes creating index.* file is really necessary to protect your asset as absence of index files shows whole directory structure and listed assets.
Easiest way to create an index.php file with simple coding.
If I'm hosting a website, say at http://www.example.com, how can I find files that are in the same folder as index.html if I DON'T know the filenames?
So for example, if there are these files in there:
http://www.example.com/test.txt
http://www.example.com/test1.txt
Can anyone see this list of files? If so, how can I hide them, but make each one accessible to someone who knows the names? I don't want to use a password system, if possible.
If you put index.html in that directory, so no files will be listed. If you allow to upload to that directory, so i can upload some php script to list all files in directory. IF you don't know file name, you can try to guess it :)
You can use bruteforce tools such as dirbuster, or you can look at the "/robots.txt" file for some clues on what's on the website.
By the way, you should keep in mind that most of web servers nowadays have rights management implemented, so even if there is such file on the server it may not allow you access to it without authentication.
Some hosting providers provide an option to specify whether directory listings are allowed. If enabled, and a client requests a URL for a folder that does not contain a default HTML file (index.html, default.html, default.aspx, etc), then the web server will serve up an HTML file containing a listing of the files in that folder. It is rare that this option is ever enabled, though.
but you should be accurate while inserting names of files in URL or else you can use pen-test tool which will list out some of the names for free.for attempts ot full listing of files you'll need to be a paid member i guess
I can upload a video to my drupal instance, but when I try to view the video I don't have rights to do so. I discovered that the IIS_IUSR doesn't have Read & Execute rights on the video even though the IIS_IUSR does on the containing directory.
IIS_IUSR has Read & Execute, List folder contents, and Read rights to the directory where files are uploaded to. However when I look at the rights of the uploaded video file (something.mp4), IIS_IUSR only has List folder/read data rights and Windows says these are inherited from the parent object. Include inheritable permissions from the object's parent option is checked.
Here's some more information that may be helpful.
If I try to access a video directly via a url I get this error:
HTTP Error 500.50 - URL Rewrite Module Error.
The page cannot be displayed because an internal server error has occurred.
Module RewriteModule
Notification BeginRequest
Handler StaticFile
Error Code 0x80070005
This seems like a configuration issue someplace, i.e. Drupal, IIS, or Windows.
Any thoughts.
My environment:
Windows 2008 R2
IIS 7.5
Drupal 6.19
MySQL 5.1.49
PHP 5.2.14
Someone requested that I post my .htaccess. There are several for the site, but here is the one for the files directory where the videos are uploaded to.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
Options None
Options +FollowSymLinks
But isn't .htaccess only used with Apache? I'm using IIS, so is the .htaccess even used?
Got the videos to work by changing the temp upload directory that Windows uploads files to before they're moved the web directory. By default Windows uses C:\Windows\Temp and in my case the permissions set on the file were kept when they were moved from Temp to the web directory. I didn't want to set IIS_IUSR permissions on this folder, so I created a different directory right under the C drive and gave it IIS_IUSR read/execute perms. Then I updated my php.ini file to point to this new directory. All's working well now. I think the key was to put this temporary directory outside of Inetpub because I tried this same set up but with the temp directory within Inetpub and it didn't work.