508 error

My website URL is: enderadel.cf

What I’m seeing is: that my website files keeps returning a 508() error and when I open the files in a new tap a message shows up and tells me that I’ve used all of the all available PHP / apache processes allowed on free hosting account.

I’m using this software: The free hosting plane and Cloudflare

Additional information:

  1. I don’t use PHP at all!
  2. Here’s my .htaccess file:
ErrorDocument 400 /assets/page/ErrorPage.html?e=400
ErrorDocument 402 /assets/page/ErrorPage.html?e=402
ErrorDocument 403 /assets/page/ErrorPage.html?e=403
ErrorDocument 404 /assets/page/ErrorPage.html?e=404
ErrorDocument 405 /assets/page/ErrorPage.html?e=405
ErrorDocument 406 /assets/page/ErrorPage.html?e=406
ErrorDocument 407 /assets/page/ErrorPage.html?e=407
ErrorDocument 408 /assets/page/ErrorPage.html?e=408
ErrorDocument 409 /assets/page/ErrorPage.html?e=409
ErrorDocument 410 /assets/page/ErrorPage.html?e=410
ErrorDocument 411 /assets/page/ErrorPage.html?e=411
ErrorDocument 412 /assets/page/ErrorPage.html?e=412
ErrorDocument 500 "The server has crashed, you'll need to come back later! -EnderAdel team"
Options -Indexes
<ifModule mod_headers.c>
  Header always set Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; connect-src 'self'; manifest-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline' ajax.cloudflare.com; style-src 'self' 'unsafe-inline'; font-src 'self' data:; frame-src https://open.spotify.com/; media-src 'none'; object-src 'none'; base-uri 'self'; form-action 'self'; block-all-mixed-content;"
  Header always set Strict-Transport-Security "max-age=31492800; preload"
</IfModule>
BrowserMatchNoCase SpammerRobot bad_bot
BrowserMatchNoCase SecurityHoleRobot bad_bot
Order Deny,Allow
Deny from env=bad_bot
Deny from 127.0.0.1
Deny from 192.168.1.1
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff
Header always set X-Frame-Options deny
<IfModule mod_deflate.c>
  AddOutputFilterByType DEFLATE application/javascript
  AddOutputFilterByType DEFLATE application/rss+xml
  AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
  AddOutputFilterByType DEFLATE application/x-font
  AddOutputFilterByType DEFLATE application/x-font-opentype
  AddOutputFilterByType DEFLATE application/x-font-otf
  AddOutputFilterByType DEFLATE application/x-font-truetype
  AddOutputFilterByType DEFLATE application/x-font-ttf
  AddOutputFilterByType DEFLATE application/x-javascript
  AddOutputFilterByType DEFLATE application/xhtml+xml
  AddOutputFilterByType DEFLATE application/xml
  AddOutputFilterByType DEFLATE font/opentype
  AddOutputFilterByType DEFLATE font/otf
  AddOutputFilterByType DEFLATE font/ttf
  AddOutputFilterByType DEFLATE image/svg+xml
  AddOutputFilterByType DEFLATE image/x-icon
  AddOutputFilterByType DEFLATE text/css
  AddOutputFilterByType DEFLATE text/html
  AddOutputFilterByType DEFLATE text/javascript
  AddOutputFilterByType DEFLATE text/plain
  AddOutputFilterByType DEFLATE text/xml
  BrowserMatch ^Mozilla/4 gzip-only-text/html
  BrowserMatch ^Mozilla/4\.0[678] no-gzip
  BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
  Header append Vary User-Agent
</IfModule>
RewriteEngine On
DirectoryIndex EnderIndex.php EnderIndex.html
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE]
RewriteCond %{HTTP_HOST} ^www.enderadel.cf [NC]
RewriteRule ^(.*)$ https://enderadel.cf/$1 [L,R=301]
RewriteCond %{QUERY_STRING} proc/self/environ [OR]
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|\%[0-9A-Z]{0,2})
<Files .htaccess>
order allow,deny
deny from all
</Files>
php_value upload_max_filesize 2M
1 Like

I checked your account and I definitely see some PHP files there. Are you sure that nothing is trying to access them, either as part of your site or in some other way?

2 Likes

There are some files. but none of them are being accessed by any other code (there’s a part of my js code that does call those files but only if the user is signed in, but I didn’t wrote any code for the user to sign up or login at the moment)

1 Like

Note that Javascript is executed in the browser of the visitor. This means the browser and visitor can see and manipulate the Javascript code on your website. This may allow the user to see and execute code which is normally only accessible to logged in users, and attempt to access the PHP files that way.

Due to an issue in your code, an issue in the visitors browser or just a malicious party trying to probe the hidden URLs, you can still get traffic on your PHP scripts. The fact that the scripts are not accessed does not mean they are inaccessible.

3 Likes