if i block ip's using .htaccess - can the page still be accessed by another mothod

Discussion in 'Programming' started by sweetlouise, Sep 30, 2009.

0
  1. #1
    if i only allow access to certain folders of my site - to only my home ip address - is it possible to still access files in the folder using some kind of exploit?

    i mean can a php script or some other language bypass the .htaccess rules?

    appreciate your help
     
    sweetlouise, Sep 30, 2009 IP
  2. devji

    devji Peon

    Messages:
    31
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #2
    The .htaccess is within the server configuration and is therefore read before any PHP scripts are executed. I would therefore be surprised if you could bypass it via a PHP script. I would consider those folders fairly secure in this instance.

    Saying that, there probably are many other ways to exploit a server and gain admin priviledges so nothing is 100% secure. Keep your server up-to-date to maintain a high level of security.
     
    devji, Oct 1, 2009 IP
  3. pneulameiro

    pneulameiro Peon

    Messages:
    440
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    0
    #3
    someone can discover your home ip and put this ip in a program that simulates a connection with a fake ip :)
     
    pneulameiro, Oct 1, 2009 IP
  4. sweetlouise

    sweetlouise Well-Known Member

    Messages:
    1,858
    Likes Received:
    38
    Best Answers:
    0
    Trophy Points:
    165
    #4
    it that really possible, to just choose a random number to be displayed as your ip?
     
    sweetlouise, Oct 1, 2009 IP
  5. young coder

    young coder Peon

    Messages:
    302
    Likes Received:
    12
    Best Answers:
    0
    Trophy Points:
    0
    #5
    i think nobody can take your ip


    do you know a program does this ???!!!!
     
    young coder, Oct 1, 2009 IP
  6. Traffic-Bug

    Traffic-Bug Active Member

    Messages:
    1,866
    Likes Received:
    8
    Best Answers:
    0
    Trophy Points:
    80
    #6
    If you are having the userid and the password to the webserver itself, you can put another language-encoded file on the server. That could possibly bypass the protections set up and made available in place by using methods like htaccess.
     
    Traffic-Bug, Oct 2, 2009 IP
  7. frantech

    frantech Greenhorn

    Messages:
    96
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    20
    #7
    Hey there,

    lets say we have:

    /main_folder/
    /main_folder/protected/
    /main_folder/protected/imalsoprotected/

    If someone can get a script on the main_folder, then they can read the protected folders, even if htaccess is there since the IP isn't coming into play.

    Thanks :)

    Francisco
     
    frantech, Oct 2, 2009 IP
  8. goliath

    goliath Active Member

    Messages:
    308
    Likes Received:
    11
    Best Answers:
    0
    Trophy Points:
    60
    #8
    Not Possible :p

    The IP comes from the TCP-IP packet. You can spoof other fields in the packet, but if you spoof the IP, the response gets sent to the spoofed IP!

    So if I sent a connection that says I am at your IP, the web server will address the response to your computer.

    What IS possible at that point is to packet sniff the response (which the spoofed IP will just ignore) and parse the message from the packets. If you're concerned with that level of adversary then you need to get off of apache anyhow, lol.

    Also, as mentioned above, if people have the opportunity to SQL inject or upload code to other sections of your website, they can access the file system and htaccess is useless. At that point, it doesn't even matter whether your files are within the web server accessible areas or not, depending on your local file/folder/webserver user account permissions.
     
    goliath, Oct 4, 2009 IP