Htaccess/WebDAV


#1

On the Htaccess page, where you can password protect a directory, there is a part where it says:

[quote]Forbidden file extensions:
(Leave blank to forbid all files)[/quote]
What if I want to allow all file extensions?
Or am I just not getting what these 2 lines are saying?


TzFiles.com


#2

That’s for preventing hotlinking; ignore it unless you’ve checked the box to forbid hotlinking.

emufarmers.com
Very little to do with either emus or farmers!


#3

OK… I created this file, but when I went to login to my sites account (Not Dreamhost my site: http://tzfiles.com) it tried to get the images, from the users folder, in my case my images, then asked me for a password. How can I allow the files to be read from the folder, just not allow anyone to browse this folder, to view other users images/files?

Make Sense?


TzFiles.com


#4

Makes sense, but that’s a tough one. It’s doing what you wanted; password protect images in your user directory. If people know the filenames of the images in that directory, password protecting that directory is the only way to prevent access to those images.

To stop open browsing of that directory, either put a 0 byte index.html file in there, or add the following to the .htaccess:

Options -Indexes

-Scott


#5

Hi, does Htaccess/WebDAV prevent PHP Injection or ‘uploading of files sort’?
coz our website is constantly defaced, they are uploading files to our directories, our directories are already in chmod 555…


#6

sounds like an sql injection to me


#7

SQL Injection?
how do i prevent that? or can u give me any link to an article?


#8

google: sql injection


#9

oh, ok. and one more thing. just wanna re-confirm. this is what happend.
they put files in our web server, and (i think) they ran that file to make changes in out pages, coz i downloaded thus files and ran it.

my question is,

  1. would changing the File Permission of our files and folders to 555 (Read-Execute) solve the problem of them putting something in our folders?

  2. can the hackers use SQL Injection to retrieve values from our database?

this hacker are becomming annoying, they keep doing it and they are toying with the datas which are of business use.
thanks.


#10

no. that only affects existing files. they have found your login details or a security hole in your web app to write files.

that’s exactly what it’s for


#11

#12

i think that you might want to use an open source system which is already robust against attacks or hire someone who knows what they are doing