14

I have a system where user pay for support, each user have a folder. I have many (like 200+) sub folderד in my website, each of these needs the CSS, images, JS etc...

I also create folders every week for new users when they register, each user can upload PHP script or JS script or images. (screenshot of their problem)

My problem is: in my /.htacess, I have a rule that checks for PHP script and redirects to the proper page e.g. site.com/user/page will go to site.com/user/page.php

What I want to do is prevent the user from breaking the system, for example by:

site.com/user/upload/test will go to his test.php and run it.

How can I prevent these kind of attacks?

Improve this question

5 Answers 5

Reset to default
23

Block access to PHP files in you htaccess, put this file inside the folder you want to block files:

<Files ^(*.php|*.phps)> order deny,allow deny from all </Files>

Or in root .htaccess file you can:

<Directory ^user/upload> <Files ^(*.php|*.phps)> order deny,allow deny from all </Files> </Directory>

Will block access to all php files inside the user/upload folder, even if mod_rewrite is used.

But, if you want to keep the .php files accessible for download and don't want they execute it, you can use this on .htaccess:

<FilesMatch "(.+)$"> ForceType text/plain </FilesMatch>

All files in the folder will return as text/plain. You can bind this in the Directory tag to get a similar result of deny access from the second example.

You also can chose the file extensions you want to delivery as text/plain:

<FilesMatch "\.(php|pl|py|jsp|asp|htm|shtml|sh|cgi.+)$"> ForceType text/plain </FilesMatch>
Improve this answer
Sign up to request clarification or add additional context in comments.

12 Comments

Thanks that really helped. What about C files, is the above list (of FilesMatch) is complete. I am terrified
is a Regular Expression, you can match anything you want. Your server will not execute C file by the browser, it will delivery as data file (download). If you talking about the source, you can deny or allow access for it. If you want ANY file be downloadable as text, you can put `"(.+)$" as your regular expression and any file, I said ANY file, in the folder will be text/plain
Thanks, that is just fine, i will use "(.+)$ Thanks
Just a quick note: If you are trying to block users from executing php shells, then don't use this method! What if someone uploads a .htaccess file?
Would be good to only permit the extensions that would you may use, or you also can block .htaccess uploading and access is deny by default in apache 2 configs.
|
4

Please remember that Apache might have more extensions to handle by PHP type handler, and it indeed has. Here is the .htaccess content that works fine for our server.

<FilesMatch "(?i)\.(php5|php4|php|php3|php2|phtml|pl|py|jsp|asp|htm|shtml|sh|cgi)$"> ForceType text/plain </FilesMatch>

It is working fine for us.

Improve this answer

Comments

1

My problem is: in my /.htacess, I have a rule that checks for PHP script and redirects to the proper page e.g. site.com/user/page will go to site.com/user/page.php

Why not just create the users page as site.com/user/page/index.php ?

site.com/user/upload/test will go to his test.php and run it

Then your rewrite rule is wrong - but you didn't show us what it is. Also your code for handling file uploads is wrong - and its not just PHP which is the problem - you could be acting as a mule site for all sorts of malware.

When allowing users to upload content, you should never store it in such a way that it is directly addressable by the webserver (except maybe for very large files of very specific and VERIFIED file types - such as videos). All access should be mediated by a control script (which may set the mime type and filename for the content it channels).

Improve this answer

Comments

0

Well, I had an idea before you redirect to test.php, you redirect to a page that will verify that the code belongs to X user, if assigned, following the routine and redirects, if you do not belong, fires a 404

Improve this answer

Comments

0

Sorry, I misunderstood the question. I would think the best way to prevent these attacks from happening would be to save the files as .php.txt or something, so it's non-executable.

But print out the file's contents via f_open(); or file_get_contents();

If this is not what you are looking for, can you provide information about what your website does, exactly?

Improve this answer

1 Comment

im sorry i dont understand what you mean

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.