Which phpbb file requires .php execution

Get help with installation and running phpBB 3.0.x here. Please do not post bug reports, feature requests, or MOD-related questions here.
Get Involved
Forum rules
END OF SUPPORT: 1 January 2017 (announcement)
Locked
User avatar
postcd
Registered User
Posts: 83
Joined: Sun Oct 14, 2007 3:42 pm
Contact:

Which phpbb file requires .php execution

Post by postcd » Wed Sep 30, 2015 4:33 pm

Hello,

in aim to secure my site i wanted to disallow execution of all .php file except index.php

so i added this to .htaccess
<FilesMatch "\.(php|php4|php5)$">
Order Allow,Deny
Deny from all
</FilesMatch>
<FilesMatch "index\.php$">
Order Allow,Deny
Allow from all
</FilesMatch>
but it appears like something stopped working, i could not see template (subsilver) background images, just white background. Logo image and forums icons was visible (i did not tried to clear cache)

Please which PHPBB file requires .php execution so i can try to tweak my htaccess rule?

thank you

UPDATE:

this can be partial solution. adding into .htaccess

RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /[^\ ]+\.php($|\ )
RewriteCond %{REQUEST_URI} !index.php
RewriteCond %{REQUEST_URI} !feedback.php
RewriteCond %{REQUEST_URI} !faq.php
RewriteCond %{REQUEST_URI} !search.php
RewriteCond %{REQUEST_URI} !memberlist.php
RewriteCond %{REQUEST_URI} !toplist.php
RewriteCond %{REQUEST_URI} !thankslist.php
RewriteCond %{REQUEST_URI} !ucp.php
RewriteCond %{REQUEST_URI} !mchat.php
RewriteCond %{REQUEST_URI} !rss.php
RewriteCond %{REQUEST_URI} !sitemap.php
RewriteRule \.php$ / [F,L]

it will not allow executing any url which ends with .php. tested
Last edited by postcd on Thu Oct 08, 2015 8:33 pm, edited 3 times in total.
I have Health Forum and also webmaster Hosting Forum. Interested in making money? Try money maker forum.

User avatar
david63
Registered User
Posts: 16570
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Name: David Wood
Contact:

Re: Which phpbb file requires .php execution

Post by david63 » Wed Sep 30, 2015 4:39 pm

postcd wrote:Please which PHPBB file requires .php execution
All of them
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored

User avatar
postcd
Registered User
Posts: 83
Joined: Sun Oct 14, 2007 3:42 pm
Contact:

Re: Which phpbb file requires .php execution

Post by postcd » Wed Sep 30, 2015 4:45 pm

david63 wrote:
postcd wrote:Please which PHPBB file requires .php execution
All of them
Im probably using bad term for php execution.
If all of them, i think my website would not load at all then?
how can i then prevent someone to open somefile.php in webbrowser (i think its not needed for the forum function as i never used .php in address anywere on the forum.. mod rewrite is used i assume and there is no .php in url address need?
Thanks for advice
I have Health Forum and also webmaster Hosting Forum. Interested in making money? Try money maker forum.

marcovo
Registered User
Posts: 239
Joined: Fri Nov 16, 2012 12:19 pm
Location: The Netherlands
Name: Marco

Re: Which phpbb file requires .php execution

Post by marcovo » Wed Sep 30, 2015 5:10 pm

Do you mean, which .php files should be accessible through the browser? I guess this would be all files within the root folder of phpBB (excluding common.php) and download/file.php and adm/index.php . I don't know about adm/swatch.php . But I wonder what you want to do with this, as blocking .php files seems to be a workaround to implement some bad feature?

User avatar
Lumpy Burgertushie
Registered User
Posts: 66745
Joined: Mon May 02, 2005 3:11 am
Contact:

Re: Which phpbb file requires .php execution

Post by Lumpy Burgertushie » Wed Sep 30, 2015 5:26 pm

unless you have something very strange setup on your server. then every single page of phpbb will have a .php in the file name in the address bar.

however, you can not access the php code itself in the browser.

for instance, right now, as you are reading this, in your browser's address bar at the top of the page will be;
viewtopic.php?f=46&t=2337991&p=14215996#p14215996

if you click on any page on this site, you will the filename.php in the browser as part of the url.

that should be the same for your board as well. that is how php based scripts like phpbb work.

if you would explain what you are actually trying to accomplish, not how you think it should be done, then we can probably help you do it.

robert
I'm baaaaaccckkkk. still doing work on donation basis. PM your needs.

Premium phpBB 3.2 Styles by PlanetStyles.net

If a tree falls in the forest and nobody is there, does it make a sound?

User avatar
postcd
Registered User
Posts: 83
Joined: Sun Oct 14, 2007 3:42 pm
Contact:

Re: Which phpbb file requires .php execution

Post by postcd » Wed Sep 30, 2015 6:18 pm

Lumpy Burgertushie wrote:if you would explain what you are actually trying to accomplish, not how you think it should be done, then we can probably help you do it.
robert
i believe i already written it, so im copying it to you again:
in aim to secure my site i wanted to disallow execution of all .php file except index.php
so no one can open file with .php extension (in my case malicious file that was injected)
how can i then prevent someone to open somefile.php in webbrowser (i think its not needed for the forum function as i never used .php in address anywere on the forum..
i dont know which other words to use to explain. hope you can helpa dvice which file needed execution, why my forum webpage do not shown background images when i pasted mentioned code into htaccess
I have Health Forum and also webmaster Hosting Forum. Interested in making money? Try money maker forum.

User avatar
Lumpy Burgertushie
Registered User
Posts: 66745
Joined: Mon May 02, 2005 3:11 am
Contact:

Re: Which phpbb file requires .php execution

Post by Lumpy Burgertushie » Wed Sep 30, 2015 7:20 pm

sorry but once again, that makes no sense. you have to allow the php files to execute otherwise nothing works.

if you had a problem with malicious file that was injected, then it has nothing to do with allowing php files to be executed, it has to do with something on your server that was not secured properly.


if you are going to run php based websites then you have to allow those php files to be executed at the server level.

also, whatever problem you had with that "injection" or whatever, had nothing to do with phpbb.

contact your host to see how someone was able to attack your server if that is what happened.

robert
I'm baaaaaccckkkk. still doing work on donation basis. PM your needs.

Premium phpBB 3.2 Styles by PlanetStyles.net

If a tree falls in the forest and nobody is there, does it make a sound?

User avatar
eeji
Jr. Style Validator
Posts: 1113
Joined: Fri Dec 12, 2008 9:08 pm
Location: Manchester, UK
Contact:

Re: Which phpbb file requires .php execution

Post by eeji » Wed Sep 30, 2015 7:30 pm

phpBB is secure. You don't need to do anything with it. If you try to load a php file directly then one of three things will happen: 1 - You'll get an error message because there are no parameters in the url, 2- you'll get a 403 forbidden page, 3 - you'll get a blank page because there is nothing to show.
My phpBB styles: phpbbstyles.oo.gd
My board: iansvivarium.com

User avatar
postcd
Registered User
Posts: 83
Joined: Sun Oct 14, 2007 3:42 pm
Contact:

Re: Which phpbb file requires .php execution

Post by postcd » Wed Sep 30, 2015 7:44 pm

Thanks, but if anyone can advice working rule to disallow anyone executing url with .php in it, i would be gratefull
I have Health Forum and also webmaster Hosting Forum. Interested in making money? Try money maker forum.

User avatar
Lumpy Burgertushie
Registered User
Posts: 66745
Joined: Mon May 02, 2005 3:11 am
Contact:

Re: Which phpbb file requires .php execution

Post by Lumpy Burgertushie » Wed Sep 30, 2015 8:31 pm

are you not listening? you can't do it. if you disallow php to be executed on the server then no php scripts will be run.

if you are simply asking about not showing the .php extension in the url that will do nothing but make it harder for the board to work.

once again, this is not going to work . you can not access the php code in the browser to begin with. for instance, on this board here, if you type in phpbb.com/community/index.php you do not see the actual code in the index.php file. you see the html that that php code creates.

same is true for viewforum.php, viewtopic.php etc. etc. you can not see the actual php code.

you can not access the actual php code unless you own the site and have ftp access to the actual files etc.

you are worrying about trying to keep people from doing something that can't be done to begin with.


robert
I'm baaaaaccckkkk. still doing work on donation basis. PM your needs.

Premium phpBB 3.2 Styles by PlanetStyles.net

If a tree falls in the forest and nobody is there, does it make a sound?

User avatar
Brf
Support Team Member
Support Team Member
Posts: 51868
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}
Contact:

Re: Which phpbb file requires .php execution

Post by Brf » Wed Sep 30, 2015 9:40 pm

The ones that need to execute are the ones in the top-level folder, /adm folder and /download folder.
The other ones should already be prevented from executing by the .htaccess files.

The ones in the include and language folders, and such, should not be executed directly.

User avatar
AmigoJack
Registered User
Posts: 5622
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: Which phpbb file requires .php execution

Post by AmigoJack » Thu Sep 01, 2016 7:37 am

postcd wrote:^[A-Z]{3,9}\ /[^\ ]+\.php($|\ )
This regular expression makes little to no sense. While this topic is pure comedy gold I think postcd should have said that he uses SEO, thus having mostly .html URIs (but not understanding that those are synonyms only).
The worst thing about censorship is ███████████
Affin wrote:
Tue Nov 20, 2018 9:51 am
The problem is probably not my English but you do not want to understand correctly.
...
We will not come anybody anyway, nevertheless, it's best to shit this.

Locked

Return to “[3.0.x] Support Forum”