Current time: 11-23-2024, 12:47 PM Hello There, Guest! (LoginRegister)


Post Reply 
Disable php on a specific folder
Author Message
kilburn Offline
Development Team
*****
Dev Team

Posts: 2,182
Joined: Feb 2007
Reputation: 34
Post: #1
Disable php on a specific folder
Today one of our hosted websites got hacked by someone using an "image upload" functionality on a website to upload a php file. As the website is badly done, it didn't properly check the file type and putted anything accessible from an URL.

Obviously, the hacker was able to run it's own php scripts in the scope of the hacked web, and exploited it by installing a massive spam mailer that got us blocked by some major mail providers (hotmail, yahoo, etc.).

Consequently, we notified the website owners/authors of the issue, but I don't really trust on their ability to correctly check uploaded files before making them world-accessible. Thus, I've decided to seek for an easy method to disable php execution on a specific folder that may be used by our clients.

After some research, it turned out to be a really easy task. Just tell your users to upload an ".htaccess" file to these php forbidden folders with the following content:
Code:
<IfModule mod_fastcgi.c>
    RemoveHandler .php .php5
</IfModule>

Done! I just thought it would be good to document this Smile
05-29-2009 08:34 PM
Visit this user's website Find all posts by this user Quote this message in a reply
BeNe Offline
Moderator
*****
Moderators

Posts: 5,899
Joined: Jan 2007
Reputation: 68
Post: #2
RE: Disable php on a specific folder
This is good to know and an easy task!
Thanks for info.

Greez BeNe
05-30-2009 02:14 AM
Visit this user's website Find all posts by this user Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)