In my earlier post here, I gave you the htaccess directives to prevent direct access to external scripts that reside outside of your Mambo directories but which are displayed within the wrapper. However, what happens if you are using the wrapper to call some internal (ie. from inside the Mambo directory structure) scripts? This needs a different approach for preventing direct access to the scripts.
Options +FollowSymLinks
//not needed on some servers RewriteEngine On
# Blocking direct access
RewriteCond %{HTTP_REFERER} !^http://(www\.)?example\.com/ [NC] //change example.com to your domain
RewriteCond %{REQUEST_URI} directory-containing-your-scripts [NC]
RewriteRule .* - [F]
Depending on your actual server setup you may need to write your REQUEST_URI as /directory-containing-your-scripts/. An easy way to check is by using PHP to test - the htaccess REQUEST_URI directive uses the same information that you can retrieve from PHP using $_SERVER["REQUEST_URI"].
This htaccess directive needs to go inside the directory that contains the script(s) you are calling through the wrapper. If you already have an htaccess file in your site root you do not need to include "RewriteEngine On" in this new htaccess file. The check for HTTP Referrer needs to be made to ensure that Mambo can run the local script inside the wrapper.
NOTE: If you include local scripts inside the wrapper it is imperative that your scripts are secure. Including insecure scripts can open your entire Mambo site and/or server to security vulnerabilities so take care!
If you enjoyed this post, make sure you subscribe to my RSS feed!
