Preventive protection of your and not your scripts
Probably not mistaken if I say that a very large part of the megahacker burglars are based on downloading a PHP script into a directory that can be written to files by scripts (0777, for example). These are catalogs for uploading photos of goods, avatars, etc.
A few years ago, I “doped” up to the way to prevent such things at the root. Download - maybe download, but they will not be able to use it . It seemed obvious all this time, but few realize it. For example, only in the latest patch of the popular SMF forum a similar thing was added.
Therefore, for those who did not think ...
It's simple. In all directories available for writing, we upload (or add lines to the existing) .htaccess with the contents:
')
This way we disable PHP in this directory and force all scripts to be displayed as HTML.
This can be done just in case. Superfluted certainly will not.
Of course, only for Apache. If someone knows how to implement this in IIS, write. :)
A few years ago, I “doped” up to the way to prevent such things at the root. Download - maybe download, but they will not be able to use it . It seemed obvious all this time, but few realize it. For example, only in the latest patch of the popular SMF forum a similar thing was added.
Therefore, for those who did not think ...
It's simple. In all directories available for writing, we upload (or add lines to the existing) .htaccess with the contents:
')
php_flag engine 0
AddType "text/html" .php .cgi .pl .fcgi .fpl .phtml .shtml .php2 .php3 .php4 .php5 .asp .jsp
This way we disable PHP in this directory and force all scripts to be displayed as HTML.
This can be done just in case. Superfluted certainly will not.
Of course, only for Apache. If someone knows how to implement this in IIS, write. :)
Source: https://habr.com/ru/post/61842/
All Articles