<IfModule mod_setenvif.c> | |
ErrorDocument 403 "This request has been denied because the plugin is potentially vulnerable and your IP is not approved. Developers can add approved IP addresses to the [...]/xinha/unsupported_plugins/.htaccess file" | |
# Some unsupported plugins are potentially more dangerous to have | |
# open-to-the-world than others due to the potential for unknown or | |
# crept-in-through-php-updates type vulnerabilities | |
# | |
# As a result those plugins (see further below) are limited to approved | |
# ip addresses only, which you can set below. | |
# Localhost only by default, I figure if you are running locally there | |
# isn't much more bad can happen than already is. | |
######################################################################## | |
SetEnvIf Remote_Addr 127\.0\.0\.1 approved_ip | |
# The following ranges are the Private IPv4 Space | |
# If you are allowing only your local network to access this, just | |
# uncomment the appropriate one(s) | |
######################################################################## | |
# SetEnvIf Remote_Addr 192\.168\.[0-9]+\.[0-9]+ approved_ip | |
# SetEnvIf Remote_Addr 10\.[0-9]+\.[0-9]+\.[0-9]+ approved_ip | |
# SetEnvIf Remote_Addr 172\.1[6-9]\.[0-9]+\.[0-9]+ approved_ip | |
# SetEnvIf Remote_Addr 172\.2[0-9]\.[0-9]+\.[0-9]+ approved_ip | |
# SetEnvIf Remote_Addr 172\.3[0-1]\.[0-9]+\.[0-9]+ approved_ip | |
######################################################################## | |
# Add additional SetEnvIf to approve further IP addresses, note that | |
# the IP address is a regular express, be sure to escape the dots. | |
######################################################################## | |
# SetEnvIf Remote_Addr 111\.111\.111\.111 approved_ip | |
# SetEnvIf Remote_Addr 123\.123\.123\.123 approved_ip | |
######################################################################### | |
# Plugin List | |
######################################################################### | |
# We mark the safe plugins, anything not marked (commented out) is | |
# regarded to be a potential threat. | |
#SetEnvIf Request_URI "/BackgroundImage/" not_a_security_threat | |
#SetEnvIf Request_URI "/DoubleClick/" not_a_security_threat | |
#SetEnvIf Request_URI "/Filter/" not_a_security_threat | |
#SetEnvIf Request_URI "/InsertMarquee/" not_a_security_threat | |
#SetEnvIf Request_URI "/NoteServer/" not_a_security_threat | |
#SetEnvIf Request_URI "/Template/" not_a_security_threat | |
SetEnvIf Request_URI "/ExtendedFileManager/" security_threat | |
SetEnvIf Request_URI "/HtmlTidy/" security_threat | |
SetEnvIf Request_URI "/ImageManager/" security_threat | |
SetEnvIf Request_URI "/InsertPicture/" security_threat | |
SetEnvIf Request_URI "/SpellChecker/" security_threat | |
SetEnvIf Request_URI "/PersistentStorage/" security_threat | |
SetEnvIf Request_URI "/PSFixed/" security_threat | |
SetEnvIf Request_URI "/PSLocal/" security_threat | |
SetEnvIf Request_URI "/PSServer/" security_threat | |
# And this is where we deny things, hopefully this concoction of rules | |
# works in most typical Apache situations. | |
# Apache < 2.3 | |
<IfModule !mod_authz_core.c> | |
# Deny,Allow means | |
# if both match then allow, | |
# else if neither match then allow, | |
# else if deny matches then deny, | |
# else if allow matches then allow | |
Order Deny,Allow | |
Deny from env=security_threat | |
Allow from env=approved_ip | |
</IfModule> | |
# Apache >= 2.3 | |
<IfModule mod_authz_core.c> | |
# Which has the compatibility module, we will have to use | |
# this also to make sure that is denied in case the | |
# vhose includes old rules too which would override | |
# the new Require directives | |
<IfModule mod_access_compat.c> | |
Order Deny,Allow | |
Deny from env=security_threat | |
Allow from env=approved_ip | |
</IfModule> | |
# Finally Apache >= 2.3 properly (why did they make this so confusing) | |
<RequireAny> | |
# Deny everybody by default | |
Require all denied | |
# Except if it's not a security threat | |
<RequireAll> | |
Require all granted | |
Require not env security_threat | |
</RequireAll> | |
# Except if it's an approved IP | |
<RequireAll> | |
Require all granted | |
Require env approved_ip | |
</RequireAll> | |
</RequireAny> | |
</IfModule> | |
</IfModule> |