Menu
I have a system where user pay for support, each user have a folder. I have many (like 200+) sub folderד in my website, each of these needs the CSS, images, JS etc...
I also create folders every week for new users when they register, each user can upload PHP script or JS script or images. (screenshot of their problem)
My problem is: in my /.htacess, I have a rule that checks for PHP script and redirects to the proper page e.g. site.com/user/page will go to site.com/user/page.php
What I want to do is prevent the user from breaking the system, for example by:
site.com/user/upload/test will go to his test.php and run it.
How can I prevent these kind of attacks?
396
When receiving an upload, you can avoid attackers uploading executable PHP or other code by examining your uploads for content. For example, if you are accepting image uploads, call the PHP getimagesize () function on the uploaded file to determine if it is a valid image.
Serve fetched files from your application rather than directly via the web server. Store files in a non-public accessibly directory if you can. Write to the file when you store it to include a header that makes it non-executable. As you can see from the video demonstration and the content above, file upload vulnerabilities are serious.
Mistake 2: There is no sanitization on the file name or contents. This allows an attacker to upload a file with a .php extension which can then be accessed by the attacker from the web and executed. Developers can avoid this mistake by sanitizing the file name so that it does not contain an extension that can execute code via the web server.
WordPress has some built-in functions to check and sanitize files before uploading. wp_check_filetype () will verify the file’s extension is allowed to be uploaded, and, by default, WordPress’s list of allowable file uploads prevents any executable code from being uploaded.
Block access to PHP files in you htaccess, put this file inside the folder you want to block files:
<Files ^(*.php|*.phps)>
order deny,allow
deny from all
</Files>
Or in root .htaccess file you can:
<Directory ^user/upload>
<Files ^(*.php|*.phps)>
order deny,allow
deny from all
</Files>
</Directory>
Will block access to all php files inside the user/upload folder, even if mod_rewrite is used.
But, if you want to keep the .php files accessible for download and don't want they execute it, you can use this on .htaccess:
<FilesMatch "(.+)$">
ForceType text/plain
</FilesMatch>
All files in the folder will return as text/plain. You can bind this in the Directory tag to get a similar result of deny access from the second example.
You also can chose the file extensions you want to delivery as text/plain:
<FilesMatch "\.(php|pl|py|jsp|asp|htm|shtml|sh|cgi.+)$">
ForceType text/plain
</FilesMatch>
Please remember that Apache might have more extensions to handle by PHP type handler, and it indeed has. Here is the .htaccess content that works fine for our server.
<FilesMatch "(?i)\.(php5|php4|php|php3|php2|phtml|pl|py|jsp|asp|htm|shtml|sh|cgi)$">
ForceType text/plain
</FilesMatch>
It is working fine for us.
40
My problem is: in my /.htacess, I have a rule that checks for PHP script and redirects to the proper page e.g. site.com/user/page will go to site.com/user/page.php
Why not just create the users page as site.com/user/page/index.php ?
site.com/user/upload/test will go to his test.php and run it
Then your rewrite rule is wrong - but you didn't show us what it is. Also your code for handling file uploads is wrong - and its not just PHP which is the problem - you could be acting as a mule site for all sorts of malware.
When allowing users to upload content, you should never store it in such a way that it is directly addressable by the webserver (except maybe for very large files of very specific and VERIFIED file types - such as videos). All access should be mediated by a control script (which may set the mime type and filename for the content it channels).
1
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
