Securing files_dir via .htaccess in OJS 2.4.8.1

Dragomir · April 10, 2018, 1:40pm

Hi all,

I have two installations (OJS & OCS). From time to time, I get new user registrations which consequently manage to upload .phtml files from OJS.

Indeed, the files_dir directory is in public_html. If I understand correctly, this folder can be secured from the .htaccess file. Currently, I have the following .htaccess rules for the files_dir folder:

Options -Indexes
Options -ExecCGI
AddHandler cgi-script .phtml

But I am not sure if these rules will be enough to stop intruders. The files_dir directory isn’t browsable anymore and the .phtml files are excluded from execution. But is that enough?

Can someone share their experience or best practices in securing OJS/OCS through the .htaccess file?

Thank you.

asmecher · April 10, 2018, 4:14pm

Hi @Dragomir,

The safest thing to do is move your files_dir outside your web root. That way you won’t need to worry about .htaccess protection at all.

The directives you set above will still permit submission files to be downloaded without access being checked, if the remote user is able to guess the filename.

Regards,
Alec Smecher
Public Knowledge Project Team

amaneshi · April 10, 2018, 4:37pm

@Dragomir
I have similar problem too, as I don’t have full access to server.
For now I use .htaccess like this:

<FilesMatch ".(htaccess|htpasswd|ini|phps|log|php|phtml)$">
Order Allow,Deny
Deny from all
</FilesMatch>

This way you can’t access files outside by this mask. Script can be uploaded but don’t run…

asmecher · April 10, 2018, 5:05pm

Hi @amaneshi,

This has the same flaw I mentioned above. You’ll want to deny access to everything, not just executables.

Regards,
Alec Smecher
Public Knowledge Project Team

Dragomir · April 11, 2018, 12:30pm

Hi both and thank you for your involvement!

@amaneshi, thanks for the suggestion. During the past 2 months, I used to have the following .htaccess configuration including the rule proposed by you:

<FilesMatch "\.(htaccess|htpasswd|ini|psd|log|sh|phtml)$">
Order Allow,Deny
Deny from all
</FilesMatch>

deny from all
<Files ~ "^\w+\.(gif|jpe?g|png|docx|doc|pdf|ods|ots)$">
order deny,allow
allow from all
</Files>

ForceType application/octet-stream
Header set Content-Disposition attachment
<FilesMatch "(?i)\.(gif|jpe?g|png|docx|doc|pdf|ods|ots)$">
    ForceType none
    Header unset Content-Disposition
</FilesMatch>
Header set X-Content-Type-Options nosniff

Options -Indexes
Options -ExecCGI 
AddHandler cgi-script .php .php3 .php4 .phtml .pl .py .jsp .asp .htm .shtml .sh .cgi .inc

The number of .phtml file submissions dropped significantly during the last 2 months after the implementation of these .htaccess rules. In fact, I had just a single .phtml file submission, recently. Therefore, I’m not 100% sure if the drop of the .phtml file submission rate was caused by these rules.

As you can see, I only managed to stop them from executing (I hope so), but I was unable to explicitly deny their upload to the server.

@asmecher, I already noticed in other threads that the best solution would be to move files_dir outside the web root. However, I was wondering if someone could share some good tips on how to secure this directory through .htaccess considering the strengths and weaknesses of OJS 2.4.8.1.

If I understand the logic of these hack attacks correctly, it would be enough to effectively block the upload of specific file types (such as .phtml). So, any suggestions on how to do this with .htaccess (or via any other method that doesn’t involve moving the files) would be appreciated.

Regards,
D

asmecher · April 11, 2018, 1:46pm

Hi @Dragomir,

There’s a plugin for OJS 3.x that allows you to list types of files to be allowwd but it’s not a replacement for either .htaccess or having files_dir outside the web root – that’s still recommended.

For complete protection with .htaccess I’d suggest adding basic authentication in addition to using NoExec. You don’t even need to create a password – just deny all downloads.

Regards,
Alec Smecher
Public Knowledge Team

Dragomir · April 16, 2018, 6:11am

Hi @asmecher,

Unfortunately, I’m not very .htaccess-savvy too. Can you share more details/examples on how to:

add basic authentication;
deny all downloads; I rely on users to upload their documents to the site. So, I assume denying all downloads wouldn’t be an option in my case… Am I missing something here?

Thank you for your outstanding support.

Regards,
D

asmecher · April 17, 2018, 9:10pm

Hi @Dragomir,

Basic authentication is more of a web server admin question than an OJS question; I’d suggest a quick look over on StackOverflow.com for some examples.

You do want to deny all direct downloads via the web server – PHP applications (like OJS) will still be allowed to access them and provide them to the end users, but will have the opportunity to control who can access them and when.

Regards,
Alec Smecher
Public Knowledge Project Team