I'm working on an online file manager as part of a website running on a LAMP stack. What are some file extensions I should disallow for uploaded files? ".php" is an obvious one.
I would go about it the other way. Only spec files that you ALLOW to be posted. otherwise there can be any variety of file types that you didn't consider and that can be very hazardous. Consider your "disallow PHP", did you also consider ".php5" or ".phps" ? It's much better to take a few minutes and compile a list of the specific types you WILL allow. This take a bit of front-loading, but in the end will likely save you a major headache.
I think you'd be better off configuring Apache so it won't even try to run scripts from the upload directory. Then it doesn't matter if someone uploads a .php file -- if someone else browses to that file, the server will serve it up just like any .gif or .jpg, rather than trying to run it on the server -- i.e., the user will just get a .php file downloaded to their computer.
(Note that I'm nothing of an Apache expert, so I don't know exactly what configuration changes you have to make to disable script execution -- but it should be easy to look at your config file, see what's already turned on for your main directory, and reverse it for your uploads directory.)
You might also need to watch out for the GIFAR exploit.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With