Sep 162014
 

How to test which Apache modules are loaded in a shared hosting environment. It can be hard to tell but I think I have found a nice light way. Particularly for shared hosts that are strongly protecting against information leakage on their systems.

Hell my shared host even had “mod_access_compat” disabled. So I can’t even run file allow,deny directives. Admittedly those directives are really confusing and redirects may be easier. I only confirmed that thanks to the code below.

Of course in a shared hosting environment you don’t have access to the apache binary or apachectl so this won’t work:

apachectl -M
apache2ctl -M
ls /etc/apache2
ls /etc/apache2/mods-enabled/

As for PHP options my host had phpinfo() restricted in its output and apache_get_modules() disabled… So I had to look for other options and managed to patch together the .htaccess and PHP combination below. After trying other options like setting a redirect inside of an IfModule statement.

I believe the only requirements for this to work are an enabled mod_env, a working PHP and maybe Apache?
(Of course the server config must have set `AllowOverride` to enable .htaccess to have effect.)
(Which would be typical in a shared hosting environment but by default in Debian it would be off)
(Further in Debian we would need to enable mod_php or configure php5-cgi)

I have tested this on a local Apache server and a shared host with various modules enabled/disabled and it seems to do what is says on the tin ๐Ÿ™‚

– Create these files in a web server directory.
– Remember to set permissions and executable rights where required.
– Hit the server with a web browser.

.htaccess:

<IfModule mod_env.c>
    SetEnv MOD_ENV On
    <IfModule mod_rewrite.c>
        SetEnv MOD_REWRITE On
    </IfModule>
    <IfModule mod_alias.c>
        SetEnv MOD_ALIAS On
    </IfModule>
    <IfModule mod_access_compat.c>
        SetEnv MOD_ACCESS_COMPAT On
    </IfModule>
    <IfModule mod_cgi.c>
        SetEnv MOD_CGI On
    </IfModule>
    <IfModule mod_fcgid.c>
        SetEnv MOD_FCGID On
    </IfModule>
    <IfModule mod_fastcgi.c>
        SetEnv MOD_FASTCGI On
    </IfModule>
    <IfModule mod_wsgi.c>
        SetEnv MOD_WSGI On
    </IfModule>
    <IfModule mod_php4.c>
        SetEnv MOD_PHP4 On
    </IfModule>
    <IfModule mod_php5.c>
        SetEnv MOD_PHP5 On
    </IfModule>
    <IfModule mod_python.c>
        SetEnv MOD_PYTHON On
    </IfModule>
</IfModule>

module_check.php:

<?php
  $mod_env =  getenv('MOD_ENV')=='On' ? 'On' : 'Off' ;
  $mod_rewrite =  getenv('MOD_REWRITE')=='On' ? 'On' : 'Off' ;
  $mod_alias =  getenv('MOD_ALIAS')=='On' ? 'On' : 'Off' ;
  $mod_access_compat =  getenv('MOD_ACCESS_COMPAT')=='On' ? 'On' : 'Off' ;
  $mod_cgi =  getenv('MOD_CGI')=='On' ? 'On' : 'Off' ;
  $mod_fcgid =  getenv('MOD_FCGID')=='On' ? 'On' : 'Off' ;
  $mod_fastcgi =  getenv('MOD_FASTCGI')=='On' ? 'On' : 'Off' ;
  $mod_wsgi =  getenv('MOD_WSGI')=='On' ? 'On' : 'Off' ;
  $mod_php4 =  getenv('MOD_PHP4')=='On' ? 'On' : 'Off' ;
  $mod_php5 =  getenv('MOD_PHP5')=='On' ? 'On' : 'Off' ;
  $mod_python =  getenv('MOD_PYTHON')=='On' ? 'On' : 'Off' ;
?>
 
<?php
  echo "mod_env: $mod_env<br /><br />";
  echo "If mod_env is off then none of the following are valid.<br /><br />";
  echo "mod_rewrite: $mod_rewrite<br />";
  echo "mod_alias: $mod_alias<br />";
  echo "mod_access_compat: $mod_access_compat<br />";
  echo "mod_cgi: $mod_cgi<br />";
  echo "mod_fcgid: $mod_fcgid<br />";
  echo "mod_fastcgi: $mod_fastcgi<br />";
  echo "mod_wsgi: $mod_wsgi<br />";
  echo "mod_php4: $mod_php4<br />";
  echo "mod_php5: $mod_php5<br />";
  echo "mod_python: $mod_python<br />";
?>

Test in a web browser:

http://example.com/module_check.php

As you can see it’s very easy to understand. If mod_env is loaded then we can set some environment variables for each of the modules that are found to be loaded. The PHP script then grabs and echo’s those variables. Giving an easy to read summary of module status.

This would be easy to extend or modify to any module that you are interested in checking.

Errors. If you see something like this in the web browser then PHP is not being run.

"; echo "If mod_env is off then none of the following are valid.
 
"; echo "mod_rewrite: $mod_rewrite
"; echo "mod_cgi: $mod_cgi
"; echo "mod_fcgid: $mod_fcgid
"; echo "mod_fastcgi: $mod_fastcgi
"; echo "mod_wsgi: $mod_wsgi
"; echo "mod_php4: $mod_php4
"; echo "mod_php5: $mod_php5
"; echo "mod_python: $mod_python
"; ?>

Hope this help you as much as it helped me ๐Ÿ™‚
You probably want remove the files from the web server once you know which Apache modules are loaded.

Gavin Kromhout:


Thank you for visiting.
Do look around.
Do leave a comment.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)