Go Back   vb.org Archive > vBulletin Article Depository > Read An Article > vBulletin 4 Articles

Reply
 
Thread Tools
Professional Htaccess VB 4
Moh4m4d
Join Date: Feb 2010
Posts: 17

Fatal Error !

Ramsar
Show Printable Version Email this Page Subscription
Moh4m4d Moh4m4d is offline 09-06-2013, 10:00 PM

Hi ,

Professional Htaccess For VBulletin 4 ,

Advantage :

Fix Xss Bug

Fix sql Injection

Protect From Htaccess

Not Run Bug In Forum

And ...

Code:
# Comment the following line (add '#' at the beginning)
# to disable mod_rewrite functions.
# Please note: you still need to disable the hack in
# the vBSEO control panel to stop url rewrites.
RewriteEngine On

# Some servers require the Rewritebase directive to be
# enabled (remove '#' at the beginning to activate)
# Please note: when enabled, you must include the path
# to your root vB folder (i.e. RewriteBase /forums/)
#RewriteBase /

#RewriteCond %{HTTP_HOST} !^www\.yourdomain\.com
#RewriteRule (.*) http://www.yourdomain.com/forums/$1 [L,R=301]

RewriteRule ^((urllist|sitemap_).*\.(xml|txt)(\.gz)?)$ vbseo_sitemap/vbseo_getsitemap.php?sitemap=$1 [L]

RewriteCond %{REQUEST_URI} !(admincp/|modcp/|cron|vbseo_sitemap|api\.php)
RewriteRule ^((archive/)?(.*\.php(/.*)?))$ vbseo.php [L,QSA]

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !/(admincp|modcp|clientscript|cpstyles|images)/
RewriteRule ^(.+)$ vbseo.php [L,QSA]
RewriteEngine On
RewriteRule ^((urllist|sitemap).*\.(xml|txt)(\.gz)?)$ vbseo_sitemap/vbseo_getsitemap.php?sitemap=$1 [L]

<files ".htaccess"> order allow,deny deny from all </files>
<FilesMatch "\.(gif|jpg|png|swf|html|css|js|fla)$">     deny from all </FilesMatch>

<FilesMatch "^php5?\.(ini|cgi)$">
Order Deny,Allow 
Deny from All 
Allow from env=REDIRECT_STATUS 
</FilesMatch>

RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]

#proc/self/environ? no way!
RewriteCond %{QUERY_STRING} proc\/self\/environ [NC,OR]

<?php
// LFI Vulnerable Code
$redirect = $_GET[redirect];
include($redirect);
?>

RewriteEngine On


RewriteCond %{QUERY_STRING} act= [OR]
RewriteCond %{QUERY_STRING} sw= [OR]
RewriteCond %{QUERY_STRING} act [OR]
RewriteCond %{QUERY_STRING} sw [OR]
RewriteCond %{QUERY_STRING} 0x3a [OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(;|<|>|�|�|\)|%0A|%0D|%22|%27|%3C|%3E|).*(/\*|union|concat).* [NC]
RewriteRule .* - [L,F]

# Prevent use of specified methods in HTTP Request 
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC,OR] 
# Block out use of illegal or unsafe characters in the HTTP Request 
RewriteCond %{THE_REQUEST} ^.*(\\r|\\n|%0A|%0D).* [NC,OR] 
# Block out use of illegal or unsafe characters in the Referer Variable of the HTTP Request 
RewriteCond %{HTTP_REFERER} ^(.*)(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR] 
# Block out use of illegal or unsafe characters in any cookie associated with the HTTP Request 
RewriteCond %{HTTP_COOKIE} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR] 
# Block out use of illegal characters in URI or use of malformed URI 
RewriteCond %{REQUEST_URI} ^/(,|;|:|<|>|">|"<|/|\\\.\.\\).{0,9999}.* [NC,OR] 
# Block out  use of empty User Agent Strings
# NOTE - disable this rule if your site is integrated with Payment Gateways such as PayPal 
RewriteCond %{HTTP_USER_AGENT} ^$ [OR] 
# Block out  use of illegal or unsafe characters in the User Agent variable 
RewriteCond %{HTTP_USER_AGENT} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR] 
# Measures to block out  SQL injection attacks 
RewriteCond %{QUERY_STRING} ^.*(;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC,OR] 
# Block out  reference to localhost/loopback/127.0.0.1 in the Query String 
RewriteCond %{QUERY_STRING} ^.*(localhost|loopback|127\.0\.0\.1).* [NC,OR] 
# Block out  use of illegal or unsafe characters in the Query String variable 
RewriteCond %{QUERY_STRING} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC]
Reply With Quote
  #32  
Old 11-12-2013, 12:18 PM
final kaoss final kaoss is offline
 
Join Date: Apr 2006
Posts: 1,314
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Here, I have revised your current htaccess for better security & to give your forum more speed and no rewrites as you said. But for protecting the admincp & cpanel this should help with most of that unless someone RAT's you or tries to Brute Force Crack your password.

Code:
 <IfModule mod_suphp.c>
  suPHP_ConfigPath /home/My Site/public_html
  <Files php.ini>
   order allow,deny
   deny from all
  </Files>
 </IfModule>


<IfModule mod_rewrite.c>
  RewriteEngine on

  # If vbulletin is in a subdirectory, add it here
  RewriteBase /

  # Retrieve gamedata requests and send to new dbtech locations
  RewriteRule ^arcade/gamedata/(.*) dbtech/vbarcade/media/$1 [L]

  # Retrieve crossdomain requests and send to new dbtech location
  RewriteRule ^crossdomain\.xml dbtech/vbarcade/crossdomain.xml [L]

  # Send hardcoded pnf+ipa scores to arcade instead
  RewriteCond %{QUERY_STRING} func=storeScore [OR]
  RewriteCond %{QUERY_STRING} autocom=arcade [OR]
  RewriteCond %{QUERY_STRING} act=Arcade
  RewriteRule .* arcade.php [L,QSA]

  # Reroute v3arcade liveinstaller
  RewriteCond %{QUERY_STRING} do=liveinstall
  RewriteCond %{REQUEST_URI} v3arcade_admin\.php

  # If you renamed your admincp directory, change it here
  RewriteRule .* %{DOCUMENT_ROOT}/********/arcade_admin.php?%{QUERY_STRING}&do=review&import=browse&system=v3a [L,R=301]
</IfModule>
RewriteEngine On
RewriteRule ^((urllist|sitemap).*\.(xml|txt)(\.gz)?)$ vbseo_sitemap/vbseo_getsitemap.php?sitemap=$1 [L]

deny from 203.*********
deny from 203.*********
deny from 203.*********
deny from 203.*********
deny from 203.*********
deny from 203.*********
deny from 203.*********
deny from 203.*********

#Deny attempts to view the Htaccess file and other files.
<Files .htaccess>
Order allow,deny
Deny from all
</Files>

<Files 403.shtml>
order allow,deny
Deny from all
</Files>


# BEGIN W3TC Browser Cache
<IfModule mod_mime.c>
    AddType text/css .css
    AddType application/javascript .js
    AddType application/x-javascript .js
    AddType text/html .html .htm
    AddType text/richtext .rtf .rtx
    AddType image/svg+xml .svg .svgz
    AddType text/plain .txt
    AddType text/xsd .xsd
    AddType text/xsl .xsl
    AddType text/xml .xml
    AddType video/asf .asf .asx .wax .wmv .wmx
    AddType video/avi .avi
    AddType image/bmp .bmp
    AddType application/java .class
    AddType video/divx .divx
    AddType application/msword .doc .docx
    AddType application/x-msdownload .exe
    AddType image/gif .gif
    AddType application/x-gzip .gz .gzip
    AddType image/x-icon .ico
    AddType image/jpeg .jpg .jpeg .jpe
    AddType application/vnd.ms-access .mdb
    AddType audio/midi .mid .midi
    AddType video/quicktime .mov .qt
    AddType audio/mpeg .mp3 .m4a
    AddType video/mp4 .mp4 .m4v
    AddType video/mpeg .mpeg .mpg .mpe
    AddType application/vnd.ms-project .mpp
    AddType application/vnd.oasis.opendocument.database .odb
    AddType application/vnd.oasis.opendocument.chart .odc
    AddType application/vnd.oasis.opendocument.formula .odf
    AddType application/vnd.oasis.opendocument.graphics .odg
    AddType application/vnd.oasis.opendocument.presentation .odp
    AddType application/vnd.oasis.opendocument.spreadsheet .ods
    AddType application/vnd.oasis.opendocument.text .odt
    AddType audio/ogg .ogg
    AddType application/pdf .pdf
    AddType image/png .png
    AddType application/vnd.ms-powerpoint .pot .pps .ppt .pptx
    AddType audio/x-realaudio .ra .ram
    AddType application/x-shockwave-flash .swf
    AddType application/x-tar .tar
    AddType image/tiff .tif .tiff
    AddType audio/wav .wav
    AddType audio/wma .wma
    AddType application/vnd.ms-write .wri
    AddType application/vnd.ms-excel .xla .xls .xlsx .xlt .xlw
    AddType application/zip .zip
</IfModule>
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType text/css A31536000
    ExpiresByType application/x-javascript A31536000
    ExpiresByType text/html A3600
    ExpiresByType text/richtext A3600
    ExpiresByType image/svg+xml A3600
    ExpiresByType text/plain A3600
    ExpiresByType text/xsd A3600
    ExpiresByType text/xsl A3600
    ExpiresByType text/xml A3600
    ExpiresByType video/asf A31536000
    ExpiresByType video/avi A31536000
    ExpiresByType image/bmp A31536000
    ExpiresByType application/java A31536000
    ExpiresByType video/divx A31536000
    ExpiresByType application/msword A31536000
    ExpiresByType application/x-msdownload A31536000
    ExpiresByType image/gif A31536000
    ExpiresByType application/x-gzip A31536000
    ExpiresByType image/x-icon A31536000
    ExpiresByType image/jpeg A31536000
    ExpiresByType application/vnd.ms-access A31536000
    ExpiresByType audio/midi A31536000
    ExpiresByType video/quicktime A31536000
    ExpiresByType audio/mpeg A31536000
    ExpiresByType video/mp4 A31536000
    ExpiresByType video/mpeg A31536000
    ExpiresByType application/vnd.ms-project A31536000
    ExpiresByType application/vnd.oasis.opendocument.database A31536000
    ExpiresByType application/vnd.oasis.opendocument.chart A31536000
    ExpiresByType application/vnd.oasis.opendocument.formula A31536000
    ExpiresByType application/vnd.oasis.opendocument.graphics A31536000
    ExpiresByType application/vnd.oasis.opendocument.presentation A31536000
    ExpiresByType application/vnd.oasis.opendocument.spreadsheet A31536000
    ExpiresByType application/vnd.oasis.opendocument.text A31536000
    ExpiresByType audio/ogg A31536000
    ExpiresByType application/pdf A31536000
    ExpiresByType image/png A31536000
    ExpiresByType application/vnd.ms-powerpoint A31536000
    ExpiresByType audio/x-realaudio A31536000
    ExpiresByType application/x-shockwave-flash A31536000
    ExpiresByType application/x-tar A31536000
    ExpiresByType image/tiff A31536000
    ExpiresByType audio/wav A31536000
    ExpiresByType audio/wma A31536000
    ExpiresByType application/vnd.ms-write A31536000
    ExpiresByType application/vnd.ms-excel A31536000
    ExpiresByType application/zip A31536000
</IfModule>


# BEGIN Compress text files
<ifModule mod_deflate.c>
  AddOutputFilterByType DEFLATE text/html text/xml text/css text/plain
  AddOutputFilterByType DEFLATE image/svg+xml application/xhtml+xml application/xml
  AddOutputFilterByType DEFLATE application/rdf+xml application/rss+xml application/atom+xml
  AddOutputFilterByType DEFLATE text/javascript application/javascript application/x-javascript application/json
  AddOutputFilterByType DEFLATE application/x-font-ttf application/x-font-otf
  AddOutputFilterByType DEFLATE font/truetype font/opentype


  BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
</ifModule>
# END Compress text files
 
 
# BEGIN Cache-Control Headers
<ifModule mod_headers.c>
  <filesMatch "\.(ico|jpe?g|png|gif|swf)$">
    Header set Cache-Control "public"
  </filesMatch>
  <filesMatch "\.(css)$">
    Header set Cache-Control "public"
  </filesMatch>
  <filesMatch "\.(js)$">
    Header set Cache-Control "private"
  </filesMatch>
  <filesMatch "\.(x?html?|php)$">
    Header set Cache-Control "private, must-revalidate"
  </filesMatch>
</ifModule>
# END Cache-Control Headers
 
# BEGIN Turn ETags Off
FileETag None
# END Turn ETags Off




# proc/self/environ? no way!
RewriteCond %{QUERY_STRING} proc/self/environ [OR]
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|[|\%[0-9A-Z]{0,2})
Here's how to for beginners. Thank siteground.

Establish FTP connection
We will start with the FTP connection establishment.

Open your FileZilla installation and enter the following details:

Hostname - enter your domain name or the name of the hosting server where your account resides;

Username - enter the FTP username (you can use your cPanel username or the one of a new FTP account);

Password - enter the corresponding FTP password;

Port - enter the FTP port (by default it is 21);


Click on the Quickconnect button the establish the FTP connection.

Once the FTP connection is opened you will see the listing of the remote server's files and folders.

Manage Files Using FileZilla
If you have a web site created on your local computer, you will want to make it live by uploading its files on your web server. The cPanel software is installed on all the SiteGround servers. The root folder for the web site content is public_html. Select the web site files in the Local site area. Drag and drop them in the public_html folder under the Remote site area. In this way they will be accessible through your domain name.


Sometimes you need to edit a file's code and update the web site functionality. Right-click on the chosen file and pick the View/Edit option.


The file will be opened in the default text editor. Edit it and then save the changes. The FTP client will recognize the file modifications. It will prompt you whether to upload the modified file back on the server and delete the local copy from your computer.


The other actions which you can perform on the files and folders are:

Download - this option allows you to download files and folders from the remote server to your local computer;

Add files to queue - allows to schedule a later transfer of the files;

Create Directory - allows you to create a new folder under your current location;

Delete - using it you can delete files and folders;

Rename - you can rename files and folders;

File Permissions - allows you to change the file permissions of files and folders; You can alter the owner, the group and the public permissions. You can define whether the files are readable, writable and executable. You can find more details about the file permissions in our cPanel tutorial.
Reply With Quote
Благодарность от:
Max Taxable
  #33  
Old 11-12-2013, 01:52 PM
tanzeelniazi tanzeelniazi is offline
 
Join Date: Apr 2012
Posts: 375
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

@Final kaoss
You are great man
Just 1 question
I am using only VBSEO hack https://vborg.vbsupport.ru/showthread.php?t=253516
not a complete software if i use this code i am secure 100% ? i mean upper you give.
i am not using filezilla i use only direct upload
Reply With Quote
  #34  
Old 02-08-2014, 10:05 AM
MylesM MylesM is offline
 
Join Date: Aug 2009
Posts: 56
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Will any of this work with vBulletin 3.8.x ?
Reply With Quote
  #35  
Old 02-08-2014, 01:13 PM
Moh4m4d Moh4m4d is offline
 
Join Date: Feb 2010
Location: Ramsar
Posts: 17
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by tanzeelniazi View Post
@Final kaoss
You are great man
Just 1 question
I am using only VBSEO hack https://vborg.vbsupport.ru/showthread.php?t=253516
not a complete software if i use this code i am secure 100% ? i mean upper you give.
i am not using filezilla i use only direct upload
Secure will never ever 100%
But with this code , you can be secure more and your forum won't hack soon and easy
Reply With Quote
  #36  
Old 02-08-2014, 06:26 PM
ceroalreves ceroalreves is offline
 
Join Date: Sep 2013
Posts: 8
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Hi, how is this works? i just have to upload it?
Reply With Quote
  #37  
Old 02-12-2014, 08:43 AM
Moh4m4d Moh4m4d is offline
 
Join Date: Feb 2010
Location: Ramsar
Posts: 17
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by ceroalreves View Post
Hi, how is this works? i just have to upload it?
Yes it works , Just upload it in to your root forum
Reply With Quote
  #38  
Old 02-12-2014, 06:13 PM
RichieBoy67's Avatar
RichieBoy67 RichieBoy67 is offline
 
Join Date: Apr 2004
Location: CT - Down in a hole..
Posts: 3,057
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Moh4m4d View Post
Yes it works , Just upload it in to your root forum
Well it depends what he has there currently. If he uploads this and overwrites his existing he could have issues.

Great work though. I really hate working with htaccess but have learned alot from guys like you. Thanks for posting this.
Reply With Quote
  #39  
Old 07-21-2015, 03:47 PM
friendlymela's Avatar
friendlymela friendlymela is offline
 
Join Date: Dec 2012
Location: Karachi, Pakistan
Posts: 272
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

nice one but i am not useing vbseo what should i do then?
Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 02:00 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.07505 seconds
  • Memory Usage 2,297KB
  • Queries Executed 23 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (2)bbcode_code
  • (3)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)modsystem_article
  • (1)navbar
  • (4)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (9)post_thanks_box
  • (7)post_thanks_box_bit
  • (9)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (2)post_thanks_postbit
  • (9)post_thanks_postbit_info
  • (8)postbit
  • (9)postbit_onlinestatus
  • (9)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete