XFileSharing Pro - After xtra file server install I think I may have a problem

Message
Author
Joseph
Posts: 16
Joined: Jan 26, 2007 4:35 am

After xtra file server install I think I may have a problem

#1 Postby Joseph » Oct 29, 2008 3:35 am

I followed the instructions *** Extra File-Server Installation ***
Steps 1-3 were competed successfully

Then I run into a problem when I follow the following steps...

INFO: After installation try to open env.php which is in FileServer files folder in browser - it should show you error or source code.
If you see full path, then check that you've moved .htaccess to FileServer htdocs folder.


So I follow the instructions and type in my file server URL: http://fileserver.com/files/env.php and hit Enter.
The browser asks me if I want to Open or Save the file.

Isn't this some sort of error? There is an .htaccess in the "files" and "tmp" folders.

User avatar
PilgrimX182
Posts: 2186
Joined: Mar 22, 2006 1:39 pm

#2 Postby PilgrimX182 » Oct 29, 2008 7:22 am

So, go save it and see what's inside. If it's env.php source then it's all fine. If there's your server paths then u have possible php injection vulnerability and need to disable php execution in /files folder.

Joseph
Posts: 16
Joined: Jan 26, 2007 4:35 am

#3 Postby Joseph » Oct 29, 2008 1:07 pm

When I choose the Save option and open the file it displays my path.
When I choose the Open option it displays my path within my browser.
Here is the path it displays:
/home/username/domains/fileserver.com/public_html/files/env.php

How do I disable PHP execution in the /files folder?

User avatar
PilgrimX182
Posts: 2186
Joined: Mar 22, 2006 1:39 pm

#4 Postby PilgrimX182 » Oct 29, 2008 2:17 pm

Directives in .htaccess should do this actually.
Try these in apache config for /files/ folder:

Code: Select all

<IfModule sapi_apache2.c>
	php_flag engine off
</IfModule>
<IfModule mod_php4.c>
	php_flag engine off
</IfModule>
<IfModule mod_php5.c>
	php_flag engine off
</IfModule>
But if you disable .php,.htm,.html files in XFS Site Settings then I think you will be pretty safe.

Joseph
Posts: 16
Joined: Jan 26, 2007 4:35 am

#5 Postby Joseph » Oct 29, 2008 4:17 pm

PilgrimX182 wrote:Directives in .htaccess should do this actually.
Try these in apache config for /files/ folder:

Code: Select all

<IfModule sapi_apache2.c>
	php_flag engine off
</IfModule>
<IfModule mod_php4.c>
	php_flag engine off
</IfModule>
<IfModule mod_php5.c>
	php_flag engine off
</IfModule>
But if you disable .php,.htm,.html files in XFS Site Settings then I think you will be pretty safe.
Oh, okay I see now. I could apply the code to the apache config. BUT if I already disable .php,.htm,.html files in XFS Site Settings the extra code is not necessary then?

User avatar
PilgrimX182
Posts: 2186
Joined: Mar 22, 2006 1:39 pm

#6 Postby PilgrimX182 » Oct 30, 2008 6:37 am

Not necessary, since we won't allow executable files there. Also restrict pl,cgi,py,sh extensions.