.htaccess configuration (limit get, allow, deny) and <Limit GET HEAD POST>
Results 1 to 9 of 9

Thread: .htaccess configuration (limit get, allow, deny) and <Limit GET HEAD POST>

  1. #1
    Junior Member
    Join Date
    Jul 2009
    Posts
    3

    Question .htaccess configuration (limit get, allow, deny) and <Limit GET HEAD POST>

    Part of my default .htaccess contain the following lines
    IndexIgnore .htaccess */.?* *~ *# */HEADER* */README* */_vti*

    <Limit GET POST>
    order deny,allow
    deny from all
    allow from all
    </Limit>
    <Limit PUT DELETE>
    order deny,allow
    deny from all
    </Limit>

    What do they do? Why having "deny from all" and "allow from all" in the same script?

    ----

    What is the different of <Limit GET POST> and <Limit GET HEAD POST>?

    ----

    There are some conflicts with the below lines.
    When I add it, my site is down.
    Could you help me?
    Thanks.

    <Limit GET POST>
    order deny,allow
    deny from all
    allow from all
    </Limit>
    <Limit PUT DELETE>
    order deny,allow
    deny from all
    </Limit>

    <Limit GET HEAD POST>
    order allow,deny
    deny from 116.193.8.0/21
    deny from 125.31.0.0/18
    deny from 161.64.0.0/16
    deny from 192.203.232.0/24
    deny from 202.75.248.0/22
    deny from 202.86.128.0/18
    deny from 202.171.252.0/22
    deny from 202.172.0.0/22
    deny from 202.173.0.0/22
    deny from 202.174.0.0/22
    deny from 202.175.0.0/22
    deny from 202.175.4.0/22
    deny from 202.175.8.0/21
    deny from 202.175.16.0/20
    deny from 202.175.32.0/19
    deny from 202.175.64.0/19
    deny from 202.175.96.0/19
    deny from 202.175.160.0/19
    allow from all
    </LIMIT>


  2. #2
    Pna lbh ernq guvf¿
    Join Date
    Jul 2004
    Location
    Kansas City area
    Posts
    19,420
    Quote Originally Posted by strawberry
    What do they do?
    <LIMIT> allows you to limit access to certain HTTP "verbs" or methods. IndexIgnore is part of the mod_autoindex module that handles displaying pretty HTML indexes when no index file is found; it instructs the webserver which files it should not show in these listings... presumably because they either a) have no value for the end user, or b) are private in nature and don't need to be shown to the world.

    For more information on either of them (or other Apache directives used in .htaccess or httpd.conf), visit the manual links I provided or search the Apache documentation.

    Quote Originally Posted by strawberry
    Why having "deny from all" and "allow from all" in the same script?
    No idea; not only does it not make sense, it's probably not doing anything you intended it to. As such, you should get rid of it.

    Quote Originally Posted by strawberry
    What is the different of <Limit GET POST> and <Limit GET HEAD POST>?
    The former of the two places the ensuing limitations on the GET and POST verbs/methods, while the latter of the two also includes HEAD as well.

  3. #3
    Junior Member
    Join Date
    Jul 2009
    Posts
    3

    Red face

    Thank you.

    Why <Limit GET POST> and <Limit GET HEAD POST> can not coexist?

    If my .htaccess include <Limit GET POST> and <Limit GET HEAD POST>, then I can't connect to my site.

  4. #4
    Pna lbh ernq guvf¿
    Join Date
    Jul 2004
    Location
    Kansas City area
    Posts
    19,420
    Quote Originally Posted by strawberry
    Why <Limit GET POST> and <Limit GET HEAD POST> can not coexist?
    No one said they couldn't.

    Quote Originally Posted by strawberry
    If my .htaccess include <Limit GET POST> and <Limit GET HEAD POST>, then I can't connect to my site.
    The presence of both of those tags has nothing to do with whether you can access the site - it's what's inside those tags that make the difference.

    I believe what is happening that the "order" statement in the last <Limit GET HEAD POST> tag is overriding the order of the first tag. Since the first LIMIT tag includes "deny from all", it's probably processed last (which means it's denying access from everyone).

    Again, however, the first <LIMIT GET POST> tag is pointless (other than to cause errors like what you're seeing now).

  5. #5
    Junior Member
    Join Date
    Jul 2009
    Posts
    3
    I see.

    It's really helpful to me, thanks for teaching me.

  6. #6
    Junior Member
    Join Date
    Aug 2012
    Posts
    5

    Exclamation Limit Directive

    Please be advised that use of the Limit directive can be bypassed when using PHP. Refer to this blog post for more details on the vulnerability and how to protect yourself: http://blog.ncircle.com/t5/VERT-Secu...-Tag/ba-p/4942

  7. #7
    Pna lbh ernq guvf¿
    Join Date
    Jul 2004
    Location
    Kansas City area
    Posts
    19,420
    Quote Originally Posted by KernelJay View Post
    Please be advised that use of the Limit directive can be bypassed when using PHP.
    Not (completely) true, depending upon which verbs are included in the tag.

  8. #8
    Junior Member
    Join Date
    Aug 2012
    Posts
    5

    Question

    Quote Originally Posted by bradgrafelman View Post
    Not (completely) true, depending upon which verbs are included in the tag.
    Interesting... Could you elaborate on what verbs you would include in the tag?

    From my testing, I was able to bypass any restrictions specified in any limit directive I could think of. Even if the directive specifies all of the verbs indicated in the HTTP RFC, an attacker can make up a new verb. In this case, Apache doesn't understand the verb and passes it into PHP for processing (if the requested filename leads to a PHP handler). This is of course discussed at further length in the aforementioned blog post: http://blog.ncircle.com/t5/VERT-Secu...-Tag/ba-p/4942

  9. #9
    Pna lbh ernq guvf¿
    Join Date
    Jul 2004
    Location
    Kansas City area
    Posts
    19,420
    Quote Originally Posted by KernelJay View Post
    In this case, Apache doesn't understand the verb and passes it into PHP for processing
    I guess I didn't realize this was true, but in hindsight I guess I could justify why this might happen.

    The real source of my ignorance on the issue, however, is the fact that I've never had the need or desire (or even considered) to use <Limit> in such a fashion. Sounds like there are good reasons why I should never change that fact, too.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •