Risks of exposing .htaccess file

Question

I have an Apache server on Windows 7 using XAMPP running php in cgi mode. One of the users can modify the .htaccess file to restrict the access to the webpage for some ip addresses and configure other settings. He cannot view the source of the php files stored in the server, and I don't want him to be able to do it.

Since php is running in cgi mode, adding php_flag engine off to the .htaccess file does not show the source code of the php files, it just displays an internal server error. However, I am concerned that there might be another way to access the source of my files.

• Is there any way to view the source of the php files modifying the .htaccess file if php is running in cgi mode and php_flag does not work?
• In case there is some way to view the source, can I fix it or the only option is to use an alternative solution and not exposing the .htaccess file?

Answer 1

Yeah, you have risk exposing the .htaccess file to other user which are not in your trust circle although you are using php in cgi mode but I am not sure how capable are other user out there. For example rule like this expose your php code in text.

<FilesMatch "\.php$">
    SetHandler text/plain
</FilesMatch>

So what I suggest is don't give full permission to .htaccess only give permission to module which are requested or necessary.

For example don't allow modules such as mod_mimes, indexes etc to other user.

Don't use

AllowOverride All

Instead mention module which you want to permit

AllowOverride AuthConfig mod_rewrite

Hope it helps.

Answer 2

You can restrict the other user accessing .htaccess by changing the file's security policies (Right click, Properties, Security tab). You need to remove the webserver-writable flag from the file, so users will not be able to edit it even using PHP.

Edit: the other option would be using nginx, which does not store configuration files in webroot, so users with webroot specific access can not do anything fishy.