Which phpbb file requires .php execution

Get help with installation and running phpBB 3.0.x here. Please do not post bug reports, feature requests, or MOD-related questions here.
Suggested Hosts
Forum rules
END OF SUPPORT: 1 January 2017 (announcement)
User avatar
postcd
Registered User
Posts: 101
Joined: Sun Oct 14, 2007 3:42 pm

Which phpbb file requires .php execution

Post by postcd »

Hello,

in aim to secure my site i wanted to disallow execution of all .php file except index.php

so i added this to .htaccess
<FilesMatch "\.(php|php4|php5)$">
Order Allow,Deny
Deny from all
</FilesMatch>
<FilesMatch "index\.php$">
Order Allow,Deny
Allow from all
</FilesMatch>
but it appears like something stopped working, i could not see template (subsilver) background images, just white background. Logo image and forums icons was visible (i did not tried to clear cache)

Please which PHPBB file requires .php execution so i can try to tweak my htaccess rule?

thank you

UPDATE:

this can be partial solution. adding into .htaccess

RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /[^\ ]+\.php($|\ )
RewriteCond %{REQUEST_URI} !index.php
RewriteCond %{REQUEST_URI} !feedback.php
RewriteCond %{REQUEST_URI} !faq.php
RewriteCond %{REQUEST_URI} !search.php
RewriteCond %{REQUEST_URI} !memberlist.php
RewriteCond %{REQUEST_URI} !toplist.php
RewriteCond %{REQUEST_URI} !thankslist.php
RewriteCond %{REQUEST_URI} !ucp.php
RewriteCond %{REQUEST_URI} !mchat.php
RewriteCond %{REQUEST_URI} !rss.php
RewriteCond %{REQUEST_URI} !sitemap.php
RewriteRule \.php$ / [F,L]

it will not allow executing any url which ends with .php. tested
Last edited by postcd on Thu Oct 08, 2015 8:33 pm, edited 3 times in total.
I have Health Forum and also webmaster Hosting Forum. Interested in making money? Try money maker forum.
User avatar
david63
Registered User
Posts: 20646
Joined: Thu Dec 19, 2002 8:08 am

Re: Which phpbb file requires .php execution

Post by david63 »

postcd wrote:Please which PHPBB file requires .php execution
All of them
David
Remember: You only know what you know and - you don't know what you don't know!

I now no longer support any of my extensions but they will start to become available here
User avatar
postcd
Registered User
Posts: 101
Joined: Sun Oct 14, 2007 3:42 pm

Re: Which phpbb file requires .php execution

Post by postcd »

david63 wrote:
postcd wrote:Please which PHPBB file requires .php execution
All of them
Im probably using bad term for php execution.
If all of them, i think my website would not load at all then?
how can i then prevent someone to open somefile.php in webbrowser (i think its not needed for the forum function as i never used .php in address anywere on the forum.. mod rewrite is used i assume and there is no .php in url address need?
Thanks for advice
I have Health Forum and also webmaster Hosting Forum. Interested in making money? Try money maker forum.
marcovo
Registered User
Posts: 239
Joined: Fri Nov 16, 2012 12:19 pm
Location: The Netherlands
Name: Marco

Re: Which phpbb file requires .php execution

Post by marcovo »

Do you mean, which .php files should be accessible through the browser? I guess this would be all files within the root folder of phpBB (excluding common.php) and download/file.php and adm/index.php . I don't know about adm/swatch.php . But I wonder what you want to do with this, as blocking .php files seems to be a workaround to implement some bad feature?
User avatar
Lumpy Burgertushie
Registered User
Posts: 69228
Joined: Mon May 02, 2005 3:11 am

Re: Which phpbb file requires .php execution

Post by Lumpy Burgertushie »

unless you have something very strange setup on your server. then every single page of phpbb will have a .php in the file name in the address bar.

however, you can not access the php code itself in the browser.

for instance, right now, as you are reading this, in your browser's address bar at the top of the page will be;
viewtopic.php?f=46&t=2337991&p=14215996#p14215996

if you click on any page on this site, you will the filename.php in the browser as part of the url.

that should be the same for your board as well. that is how php based scripts like phpbb work.

if you would explain what you are actually trying to accomplish, not how you think it should be done, then we can probably help you do it.

robert
Premium phpBB 3.3 Styles by PlanetStyles.net

I am pleased to announce that I have completed the first item on my bucket list. I have the bucket.
User avatar
postcd
Registered User
Posts: 101
Joined: Sun Oct 14, 2007 3:42 pm

Re: Which phpbb file requires .php execution

Post by postcd »

Lumpy Burgertushie wrote:if you would explain what you are actually trying to accomplish, not how you think it should be done, then we can probably help you do it.
robert
i believe i already written it, so im copying it to you again:
in aim to secure my site i wanted to disallow execution of all .php file except index.php
so no one can open file with .php extension (in my case malicious file that was injected)
how can i then prevent someone to open somefile.php in webbrowser (i think its not needed for the forum function as i never used .php in address anywere on the forum..
i dont know which other words to use to explain. hope you can helpa dvice which file needed execution, why my forum webpage do not shown background images when i pasted mentioned code into htaccess
I have Health Forum and also webmaster Hosting Forum. Interested in making money? Try money maker forum.
User avatar
Lumpy Burgertushie
Registered User
Posts: 69228
Joined: Mon May 02, 2005 3:11 am

Re: Which phpbb file requires .php execution

Post by Lumpy Burgertushie »

sorry but once again, that makes no sense. you have to allow the php files to execute otherwise nothing works.

if you had a problem with malicious file that was injected, then it has nothing to do with allowing php files to be executed, it has to do with something on your server that was not secured properly.


if you are going to run php based websites then you have to allow those php files to be executed at the server level.

also, whatever problem you had with that "injection" or whatever, had nothing to do with phpbb.

contact your host to see how someone was able to attack your server if that is what happened.

robert
Premium phpBB 3.3 Styles by PlanetStyles.net

I am pleased to announce that I have completed the first item on my bucket list. I have the bucket.
User avatar
eeji
Registered User
Posts: 1467
Joined: Fri Dec 12, 2008 9:08 pm
Location: Manchester, UK

Re: Which phpbb file requires .php execution

Post by eeji »

phpBB is secure. You don't need to do anything with it. If you try to load a php file directly then one of three things will happen: 1 - You'll get an error message because there are no parameters in the url, 2- you'll get a 403 forbidden page, 3 - you'll get a blank page because there is nothing to show.
My phpBB styles: phpbbstyles.iansvivarium.com
My "board": iansvivarium.com
(yes, it's running phpBB!)
User avatar
postcd
Registered User
Posts: 101
Joined: Sun Oct 14, 2007 3:42 pm

Re: Which phpbb file requires .php execution

Post by postcd »

Thanks, but if anyone can advice working rule to disallow anyone executing url with .php in it, i would be gratefull
I have Health Forum and also webmaster Hosting Forum. Interested in making money? Try money maker forum.
User avatar
Lumpy Burgertushie
Registered User
Posts: 69228
Joined: Mon May 02, 2005 3:11 am

Re: Which phpbb file requires .php execution

Post by Lumpy Burgertushie »

are you not listening? you can't do it. if you disallow php to be executed on the server then no php scripts will be run.

if you are simply asking about not showing the .php extension in the url that will do nothing but make it harder for the board to work.

once again, this is not going to work . you can not access the php code in the browser to begin with. for instance, on this board here, if you type in phpbb.com/community/index.php you do not see the actual code in the index.php file. you see the html that that php code creates.

same is true for viewforum.php, viewtopic.php etc. etc. you can not see the actual php code.

you can not access the actual php code unless you own the site and have ftp access to the actual files etc.

you are worrying about trying to keep people from doing something that can't be done to begin with.


robert
Premium phpBB 3.3 Styles by PlanetStyles.net

I am pleased to announce that I have completed the first item on my bucket list. I have the bucket.
User avatar
Brf
Support Team Member
Support Team Member
Posts: 53518
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}

Re: Which phpbb file requires .php execution

Post by Brf »

The ones that need to execute are the ones in the top-level folder, /adm folder and /download folder.
The other ones should already be prevented from executing by the .htaccess files.

The ones in the include and language folders, and such, should not be executed directly.
User avatar
AmigoJack
Registered User
Posts: 6116
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン

Re: Which phpbb file requires .php execution

Post by AmigoJack »

postcd wrote:^[A-Z]{3,9}\ /[^\ ]+\.php($|\ )
This regular expression makes little to no sense. While this topic is pure comedy gold I think postcd should have said that he uses SEO, thus having mostly .html URIs (but not understanding that those are synonyms only).
  • "The problem is probably not my English but you do not want to understand correctly. ... We will not come anybody anyway, nevertheless, it's best to shit this." Affin, 2018-11-20
  • "But this shit is not here for you. You can follow with your. Maybe the question, instead, was for you, who know, so you shoved us how you are." axe70, 2020-10-10
  • "My reaction is not to everyone, especially to you." Raptiye, 2021-02-28

Return to “[3.0.x] Support Forum”