Today one of our hosted websites got hacked by someone using an "image upload" functionality on a website to upload a php file. As the website is badly done, it didn't properly check the file type and putted anything accessible from an URL.
Obviously, the hacker was able to run it's own php scripts in the scope of the hacked web, and exploited it by installing a massive spam mailer that got us blocked by some major mail providers (hotmail, yahoo, etc.).
Consequently, we notified the website owners/authors of the issue, but I don't really trust on their ability to correctly check uploaded files before making them world-accessible. Thus, I've decided to seek for an easy method to disable php execution on a specific folder that may be used by our clients.
After some research, it turned out to be a really easy task. Just tell your users to upload an ".htaccess" file to these php forbidden folders with the following content:
Code:
<IfModule mod_fastcgi.c>
RemoveHandler .php .php5
</IfModule>
Done! I just thought it would be good to document this