I was scratching me head for a few days, trying to protect my stand alone PHP scripts for being accessed directly on the URL in a Joomla CMS system.
Googling here and there always referred me to the same htaccess codes, which didn’t work on my case for some reasons. So if you come here from the Search Engine, then you may want to try a slight modification to the htaccess codes that you have seen over and over again here.
Let’s say:
- Your website domain is http://www.YOURDOMAIN.COM (and it’s in Joomla – I was using Joomla 1.5)
- You have some individual PHP scripts under a folder called myscripts/
- You are using the Joomla wrapper and wrap your PHP scripts nicely through the admin interface and only registered members can access the scripts.
- However, if you type http://www.YOURDOMAIN.COM/myscript/myPHPscript.php on the browser, you find out that anyone can execute the script without registering/logging in to your Joomla System!
So the easy solution, is to put a [dot]htaccess (replace the [dot] with .) inside your myscript folder to block direct access to the folder or the scripts.
Your htaccess file should contain:
RewriteEngine On
# Blocking direct access
RewriteCond %{HTTP_REFERER} !^http://www.YOURDOMAIN.COM/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://YOURDOMAIN.COM/.*$ [NC]
RewriteCond %{REQUEST_URI} myscripts [NC]
RewriteRule .* – [F]
This will actually block any access if the URL contains …myscripts… This will work, because Joomla’s wrapper doesn’t tell you the directory name, but instead is using the Wrapper title that you specified on the Administration. So as long as you don’t put in the same name as the script folder, this will work.
Instructions:
- Replace your DOMAIN.COM with your real site’s URL.
- Replace myscripts with your own folder name
- Upload the htaccess file to your folder that you want to protect
- Test that going to the script using Joomla Wrapper’s URL works
- Test that typing straight on your browser to the PHP scripts gives you the Forbidden error message
Hope this helps.
{ 1 trackback }
{ 3 comments… read them below or add one }
I am not a Joomla user, but it is nice to see folks on top of security no matter the script or program. Great tip! Keep up the fight.
Dugg & Stumbled.
Guy Vestals last blog post..Entrecard Review & Favorite members
Michael,
I have seen joomla in my hosting service fantastico section. but never checked what it is? Let me check it…
Nihars last blog post..Use Virtual Audio Cable (VAC) to solve missing stereo-mix problem
@Guy: Thanks for the Digg & Stumble!
@Nihar: It’s an open source CMS (Content Management System). So it’s something like Wordpress but bigger (not just for blogging, but for a full blown site complete with membership registrations, articles, forums, gallery, and everything that you can think of
)