source: trunk/unsupported_plugins/.htaccess @ 1366

Last change on this file since 1366 was 1366, checked in by gogo, 18 months ago

Move ExtendedFileManager? and ImageManager? into unsupported_plugins to deprecate.

Add a .htaccess file which denies access to some unsupported_plugins which may have security vulnerabilities (eg, ImageManager? and ExtendedFileManager?)

File size: 4.4 KB
Line 
1<IfModule mod_setenvif.c>
2 
3  ErrorDocument 403 "This request has been denied because the plugin is potentially vulnerable and your IP is not approved. Developers can add approved IP addresses to the [...]/xinha/unsupported_plugins/.htaccess file"
4 
5  # Some unsupported plugins are potentially more dangerous to have
6  #  open-to-the-world than others due to the potential for unknown or
7  #  crept-in-through-php-updates type vulnerabilities
8  #
9  # As a result those plugins (see further below) are limited to approved
10  #  ip addresses only, which you can set below.
11 
12  # Localhost only by default, I figure if you are running locally there
13  # isn't much more bad can happen than already is.
14  ########################################################################
15  SetEnvIf Remote_Addr 127\.0\.0\.1 approved_ip
16 
17  # The following ranges are the Private IPv4 Space
18  # If you are allowing only your local network to access this, just
19  # uncomment the appropriate one(s)
20  ########################################################################
21  # SetEnvIf Remote_Addr 192\.168\.[0-9]+\.[0-9]+    approved_ip
22  # SetEnvIf Remote_Addr 10\.[0-9]+\.[0-9]+\.[0-9]+  approved_ip
23  # SetEnvIf Remote_Addr 172\.1[6-9]\.[0-9]+\.[0-9]+ approved_ip
24  # SetEnvIf Remote_Addr 172\.2[0-9]\.[0-9]+\.[0-9]+ approved_ip
25  # SetEnvIf Remote_Addr 172\.3[0-1]\.[0-9]+\.[0-9]+ approved_ip
26  ########################################################################
27 
28  # Add additional SetEnvIf to approve further IP addresses, note that
29  #  the IP address is a regular express, be sure to escape the dots.
30  ########################################################################
31  # SetEnvIf Remote_Addr 111\.111\.111\.111         approved_ip
32  # SetEnvIf Remote_Addr 123\.123\.123\.123         approved_ip
33  #########################################################################
34 
35  # Plugin List
36  #########################################################################
37  # We mark the safe plugins, anything not marked (commented out) is
38  #  regarded to be a potential threat.
39 
40  #SetEnvIf Request_URI "/BackgroundImage/" not_a_security_threat
41  #SetEnvIf Request_URI "/DoubleClick/" not_a_security_threat
42  #SetEnvIf Request_URI "/Filter/" not_a_security_threat
43  #SetEnvIf Request_URI "/InsertMarquee/" not_a_security_threat
44  #SetEnvIf Request_URI "/NoteServer/" not_a_security_threat 
45  #SetEnvIf Request_URI "/Template/" not_a_security_threat
46 
47  SetEnvIf Request_URI "/ClientsideSpellcheck/" security_threat
48  SetEnvIf Request_URI "/ExtendedFileManager/"  security_threat
49  SetEnvIf Request_URI "/HtmlTidy/"             security_threat
50  SetEnvIf Request_URI "/ImageManager/"         security_threat
51  SetEnvIf Request_URI "/InsertPicture/"        security_threat
52  SetEnvIf Request_URI "/SpellChecker/"         security_threat
53 
54  SetEnvIf Request_URI "/PersistentStorage/"    security_threat
55    SetEnvIf Request_URI "/PSFixed/"            security_threat
56    SetEnvIf Request_URI "/PSLocal/"            security_threat
57    SetEnvIf Request_URI "/PSServer/"           security_threat
58 
59  # And this is where we deny things, hopefully this concoction of rules
60  #  works in most typical Apache situations.
61 
62  # Apache < 2.3
63  <IfModule !mod_authz_core.c>
64      # Deny,Allow means
65      #  if both match then allow,
66      #  else if neither match then allow,
67      #  else if deny matches then deny,
68      #  else if allow matches then allow     
69      Order Deny,Allow
70      Deny from env=security_threat
71      Allow from env=approved_ip
72  </IfModule>
73
74  # Apache >= 2.3
75  <IfModule mod_authz_core.c>
76   
77    # Which has the compatibility module, we will have to use
78    #  this also to make sure that is denied in case the
79    #  vhose includes old rules too which would override
80    #  the new Require directives
81    <IfModule mod_access_compat.c>
82      Order Deny,Allow
83      Deny from env=security_threat
84      Allow from env=approved_ip
85    </IfModule>
86   
87    # Finally Apache >= 2.3 properly (why did they make this so confusing)
88    <RequireAny>
89      # Deny everybody by default
90      Require all denied
91     
92      # Except if it's not a security threat
93      <RequireAll>
94        Require all granted
95        Require not env security_threat
96      </RequireAll>
97     
98      # Except if it's an approved IP
99      <RequireAll>
100        Require all granted
101        Require env approved_ip
102      </RequireAll>
103    </RequireAny>
104  </IfModule>
105 
106</IfModule>
Note: See TracBrowser for help on using the repository browser.