Making PHP file upload secure with htaccess

Question

I am working on a task to make the PHP file upload secure and my client wants to follow the guideline mention on the website http://www.acunetix.com/websitesecurity/upload-forms-threat.htm

We are able to follow all the guidelines mentioned on this site accept from htaccess rule. They have mention to do following.

Define a .htaccess file that will only allow access to files with allowed extensions.
Do not place the .htaccess file in the same directory where the uploaded files will be stored. It should be placed in the parent directory.
A typical .htaccess which allows only gif, jpg, jpeg and png files should include the following (adapt it for your own need). This will also prevent double extension attacks.

deny from all
<Files ~ "^\w+\.(gif|jpe?g|png)$">
order deny,allow
allow from all
</Files>
If possible, upload the files in a directory outside the server root.
Prevent overwriting of existing files (to prevent the .htaccess overwrite attack).
Create a list of accepted mime-types (map extensions from these mime types).
Generate a random file name and add the previously generated extension.
Don’t rely on client-side validation only, since it is not enough. Ideally one should have both server-side and client-side validation implemented.

So that no other files than gif, jpg and png will be executed. But they don't want the htaccess to be in the folder where we upload images as that folder has permissions and htaccess can be overwritten. So they tell to keep the file at root level.

I want to know that if we keep the file at root level and allow only image types to execute then how my php scripts will be executed? When I add this htaccess at root level, off course my php scripts don't work and return permission error. Struggling to get this work out.

Can you help me with get this working or any other effective way to do this security check. We don't want to keep security loopholes on system.

Any help will be appreciated.

Thank you all.

Answer 1

Code can be encoded into image files, so you should disable the PHP engine for this directories:

<IfModule mod_php5.c>
    php_flag engine off
</IfModule>

Or, if you can't set that in an .htaccess file, then you can do it in your httpd.conf or vhost conf file:

<VirtualHost *:80>
    # ...

    <Directory /path/to/webroot/path/to/upload/folder>
        deny from all
        <Files ~ "^\w+\.(gif|jpe?g|png)$">
            order deny,allow
            allow from all
        </Files>  
        <IfModule mod_php5.c>
            php_flag engine off
        </IfModule>      
    </Directory>
</VirtualHost>