Access To File Besides Index.php

sublok · October 11, 2016, 12:00am

Can someone let me know how i can add access to another file such as

mydomain.com/filename.php?

I have uploaded a file and it gives me a 500 error.

thank you

SDAD · October 12, 2016, 12:00am

Can someone let me know how i can add access to another file such as

mydomain.com/filename.php?

I have uploaded a file and it gives me a 500 error.

thank you

Check the error in the error logs.

ecomlabs · October 12, 2016, 12:00am

May be access to other files is forbidden in the .htaccess file?

sublok · October 12, 2016, 12:00am

eCom - thank you for your reply, the htaccess is "out-of-box" with no mods on 4.3.x, im not great with regex here is my htaccess

DirectoryIndex index.html index.php

	# Compress HTML, CSS, JavaScript, Text, XML, fonts
	AddOutputFilterByType DEFLATE application/javascript application/x-javascript text/javascript application/json
	AddOutputFilterByType DEFLATE application/x-font application/x-font-opentype application/x-font-otf application/x-font-truetype application/x-font-ttf font/opentype font/otf font/ttf application/x-woff application/x-font-woff
	AddOutputFilterByType DEFLATE text/css text/html text/plain

	# Remove browser bugs (only needed for really old browsers)
	BrowserMatch ^Mozilla/4 gzip-only-text/html
	BrowserMatch ^Mozilla/4\.0[678] no-gzip
	BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
	Header append Vary User-Agent




	
		Header set Access-Control-Allow-Origin "*"
	


Cache all images for 2 weeks

	
	    ExpiresActive on
	    ExpiresDefault "access plus 2 weeks"
	


	
		Header set Cache-Control "max-age=1209600"
	


RewriteEngine on
RewriteBase /
Options -MultiViews
RewriteRule ^init.php$ - [F,L,NC]

RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteCond %{REQUEST_URI} ^api/(.)$ [or]

RewriteCond %{REQUEST_URI} ./api/(.*)$

RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule .api/(.)$ api.php?_d=$1 [L,QSA]
RewriteCond %{REQUEST_URI} .(png|gif|ico|swf|jpe?g|js|css|ttf|svg|eot|woff|yml|xml)$ [NC,or]

RewriteCond %{REQUEST_URI} store_closed.html$

RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule ^(.?)/(.)$ $2 [L]
RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule . index.php [L,QSA]


This prevents possible problems when downloading files

    php_flag zlib.output_compression Off

sublok · October 12, 2016, 12:00am

Check the error in the error logs.

There are no errors in the logs files :(

ecomlabs · October 13, 2016, 12:00am

eCom - thank you for your reply, the htaccess is "out-of-box" with no mods on 4.3.x, im not great with regex here is my htaccess

In this case please also check file permissions and file owner. It can cause such issue

sublok · October 18, 2016, 12:00am

Im trying to secure the renamed admin file when i add in the filesmatch rule to the htaccess is give me a 404 and i can not access the admin.

So i know that its reading the file name properly, and the perms are set according to the secure your admin section http://docs.cs-cart.com/4.3.x/install/security.html

tbirnseth · October 19, 2016, 12:00am

Why are you adding it to a files match statement? If the file is present, it will be used. Are you trying to limit the files that "can be accessed" from your document root? If so, then I'd assume you have a problem in your 'files' tag 'order" or application. Please post your "files" tag statement.

sublok · October 19, 2016, 12:00am

So after some digging on this issue if anyone else has the same quandary, it appears that the cs-cart requires the

ErrorDocument 401 "output text"

to be included else it causes a redirect loop as it is not push to an "error" page.

I was able to secure a renamed admin page by adding the following before the rewrite rules block

RewriteEngine on
RewriteBase /
Options -MultiViews -Indexes
{insert block here }
RewriteRule ^init.php$ - [F,L,NC]

RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

with the following.

AuthType Basic
AuthName "Login"
AuthUserFile /home/path/sub/.filename
require valid-user
ErrorDocument 401 "Required"

Just to add an extra layer of security. I would recommend that cs-cart add this to their core code htaccess with an append to the .htaccess file

@tbirnseth - it is a stock cs-cart .htaccess, just using the rules and rewrites that are included. Was trying to secure a renamed admin.php file, if the filesmatch is not included i think that this block

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php [L,QSA]

redirect all request to the index.php page causing a redirect loop, but im not 100% on that assumption.

tbirnseth · October 19, 2016, 12:00am

It only redirects to the index.php if the request does NOT exist as a file OR directory. Index.php, api.php and admin.php all exist and are not passed to the application to "resolve". Any "SEO name" will be passed to index.php to be processed to redirect to the appropriate url based on the SEO name/rules.

.

I would think you'd be able to deny everything and then just enable admin.php, index.php and api.php if you want to.

Personally I think it's overkill if your ownerships and permissions are set properly based on the method your web server uses. But you should be able to do it if you want to.