Results 1 to 8 of 8
  1. #1

    Disallowed PHP scripts in xx7 Directories

    Hi
    Sometimes I have dirctories must have w+x permision to other and may be anyone upload PHP script to these directories and run it via web browser so
    I would like to disallowed run PHP scripts "via web browser" if it included directories have permision w+x to Other.
    Thanks,

  2. #2
    Join Date
    Mar 2004
    Posts
    1,301
    why would you allow people to upload php scripts in the first place? if you allow people to upload other types, you may want to check for the true types of those files. For instances, if users are allowed to upload images, you must check for the size of the script, if your script doesn't recognize the size, then this uploaded file can't be image type; similarly, if mp3 file uploaded, getid3 of the file.

  3. #3
    You shuold add some lines to the VirtualHost section in the httpd.conf.
    <Directory /path/to/non/php/folder>
    php_admin_flag engine off
    </Directory>
    This flag will turn off php engine in specify folder

  4. #4
    Join Date
    Mar 2004
    Posts
    1,301
    it would be better to write it in your uploading script rather than editing httpd.conf. You don't want to go back in httpd.conf to edit everytime you create a folder in which you dont want to have php executed.

  5. #5
    I don't exclude your solution, but this solution may takes place too, doesn't it ?

  6. #6
    Thanks all
    I think best solution is tell httpd.conf or php.ini (Don't run php scripts if folder have write and execute permision to other"
    but how to make it!

  7. #7
    If this is a directory that shouldn't be browsed to in the first place you can put the following in a .htaccess assuming the proper overrides have been set.

    Code:
    <Files *>
    order deny,allow
    deny from all
    </Files>
    If you have access to the httpd.conf then you can put that within a <Directory> block. You may also find it better to simply put the upload folder outside the doc root.

    You could also add an extension to the file other than php etc when it is uploaded so that it won't be parsed.

    ie brief example
    Code:
    $file_name .= (substr($file_name, -4) == '.php')? '.txt': '';
    I don't know of any way to tell Apache not to handle any files in folders with rw permissions set for other as php files.

    There are a number of ways to solve your problem, some mentioned previously by others.

  8. #8
    Thanks for all efforts
    I wait some other soultions ?!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •