Jump to content

Close .tpl access with .htaccess


Recommended Posts

The index.php in the template directory only protects you if someone enters the root of a particular directory. However if they know the exact file name they are looking for, it is very possible that the contents of the file will be output into the browser. Particularly for Smarty .tpl files.

 

I only thought about this because I saw that someone had found my website using the phrase "Powered by WHMCS" coupled with the fact that it seems that many are using the Smarty {php} tag (not recommended by Smarty authors btw) which could include sensitive information.

 

Anyway the fix is simple, here is the quick way if you are using an apache server with .htaccess enabled.

 

Put this into your .htaccess file in the web root of your site.

<Files ~ "\.tpl$">
Order allow,deny
Deny from all
</Files>

Link to comment
Share on other sites

You can also control this to a point in your robots.txt if the search engine bot uses robot rules.

 

robots.txt

-------------------------------

User-agent: *

Disallow: /*.tpl$

-------------------------------

 

without the --------- lines

 

The index.php in the template directory only protects you if someone enters the root of a particular directory. However if they know the exact file name they are looking for, it is very possible that the contents of the file will be output into the browser. Particularly for Smarty .tpl files.

 

I only thought about this because I saw that someone had found my website using the phrase "Powered by WHMCS" coupled with the fact that it seems that many are using the Smarty {php} tag (not recommended by Smarty authors btw) which could include sensitive information.

 

Anyway the fix is simple, here is the quick way if you are using an apache server with .htaccess enabled.

 

Put this into your .htaccess file in the web root of your site.

<Files ~ "\.tpl$">
Order allow,deny
Deny from all
</Files>

Link to comment
Share on other sites

It's not a matter of helping more or not. Simply perform the test that I illustrated a couple messages above and see if you can browse your way to one of your site's templates. If you can see the template code as text then you need to close this hole. If you cannot see the template code then you are as helped as possible.

 

http://yourdomain.com/whmcs/templates/default/banned.tpl

 

 

PS. The only IIS users that would be affected is 5 and below. In IIS 6 and higher they blocked access to most filetypes by default and you would only need to worry about this if something you changed on the IIS server allowed you to browse to the URL example I provided above.

Link to comment
Share on other sites

You can also control this to a point in your robots.txt if the search engine bot uses robot rules.

 

The rule in .htaccess will block access from browsers or bots. Not all search bots follow the rules you place in robots.txt either ;)

 

Personally I'm somewhat hesitant to place rules in robot.txt for files that I am trying to obscure. Anyone can read this robots.txt file and gain insight into what you are trying to protect, although security via obscurity really is a bad policy to begin with.

Link to comment
Share on other sites

Yes it does. I think it would be a more complicated rule to make it only apply to http vs https.

 

It does not appear to be.

If I use http, it blocks it but if I am over my https, the contents of the .tpl files are being displayed.

Link to comment
Share on other sites

  • 2 weeks later...

Have you entered it ino the .htaccess file in the root directory, or one in the folder where the tpl files are?

 

You can have a .htaccess file in every directory, and it is a good way to have different rules throughout your site... (without having a mega complext top level one anyway).

 

Try placing a .htaccess file into your template directory with the following in it...

 

<Files "*.tpl">
Order Allow,Deny
Deny from All
</Files>

 

This should prevent the issue with https:// still allowing access to them

 

Additionally, you should ensure that you still have a blank index file in every directory, unless of course there is one that actually is needed to display stuff.

 

This will prevent people seeing the actual list of files within the directory. I know it's a basic website requirement, but some people can miss it!!

Edited by ChrisGooding
Link to comment
Share on other sites

Additionally, you should ensure that you still have a blank index file in every directory, unless of course there is one that actually is needed to display stuff.

This will prevent people seeing the actual list of files within the directory. I know it's a basic website requirement, but some people can miss it!!

 

You can also shut of indexing by default on the entire server, something we do for all of ours. If someone wants to display an index, we allow overrides.

Link to comment
Share on other sites

Very true....

 

Swings and roundabouts really, boils down to prefference.... mine is blank index files.

 

Well, I say blank, I did go through a phase of having my directories have a 'You shouldn't be in here' type of file, with an advert on.....

 

But I got bored of it, lol. :)

Link to comment
Share on other sites

This is also configurable from the .htaccess file using the options -indexes line

 

Here is the top of my .htaccess file located at the webroot of my site:

 

RewriteEngine On
Options -Indexes

<Files ~ "\.tpl$">
Order allow,deny
Deny from all
</Files>

Link to comment
Share on other sites

Since we're building on this, if you have more than one file type to deny, use this:

<Files ~ "\.(tpl|bak|old)$">

Order allow,deny

Deny from all

</Files>

Many folks working in shell will rename a file "bak" or "old" to move it out of the way and preserve the pre-change version. If you don't deny tpl, for instance, and rename one as "xx.tpl.bak"...Apache will serve it as text, usually, just as if you hadn't blocked direct access. ;)

 

Oh, and earlier in this thread someone gave "*.tpl". Don't use that, as it won't work properly. "." has special meaning "one character"...you need to escape it with the slash to have it work. Chances are pretty good that "*.tpl" will cause a 500 error.

Link to comment
Share on other sites

Just wanted to mention that best practice in programming is to not have duplicate code when you can keep it in a central location.

 

Editing one .htaccess file beats out having to edit multiple .tpl files.

 

Bear's suggestion of having the rule affect multiple file types makes this even more powerful.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated