A simple way to protect against shell uploads and their scripts in the uploads folder
Friends, in order not to bore you with a long speech, decided to just share (remind someone) an easy way to protect against the uploaded scripts in the download folders.
Situation: there is an uploads folder, where it is allowed to upload, say images. And her rights are clear to everyone. So, the owners of some engines, which still have some vulnerabilities (no matter for what reason), can sometimes stumble upon scripts filled in this folder, as to my surprise I discovered this in myself. And this, you know, is sometimes fraught with consequences.
')
So now, in all folders for uploading files, I add a .htaccess file (if it is not there) with the following lines:
Now, if the .htaccess directives are supported by you, even if the files are uploaded, they will not be executed . By the way, the extension can be not only .php but any other, or their set through a space. Omitting in this post the problem of replacing extensions, properly configured accesses - we get quite simple and fast, and most importantly, a solution for reducing poorly qualified users to reduce critical vulnerabilities.
ps In addition, I’ll say that when I have to use upload of images in my code, in addition to the standard means of limiting upload files, I use not just saving for recording, but downloading the image from the GD transferred to the POST library, and saving the image to the disk by the above library, since Images will not save anything. Maybe paranoid, but with the above. Htaccess gives a good result.
Situation: there is an uploads folder, where it is allowed to upload, say images. And her rights are clear to everyone. So, the owners of some engines, which still have some vulnerabilities (no matter for what reason), can sometimes stumble upon scripts filled in this folder, as to my surprise I discovered this in myself. And this, you know, is sometimes fraught with consequences.
')
So now, in all folders for uploading files, I add a .htaccess file (if it is not there) with the following lines:
RemoveHandler .php
AddType text/html .php
AddHandler server-parsed .php
Now, if the .htaccess directives are supported by you, even if the files are uploaded, they will not be executed . By the way, the extension can be not only .php but any other, or their set through a space. Omitting in this post the problem of replacing extensions, properly configured accesses - we get quite simple and fast, and most importantly, a solution for reducing poorly qualified users to reduce critical vulnerabilities.
ps In addition, I’ll say that when I have to use upload of images in my code, in addition to the standard means of limiting upload files, I use not just saving for recording, but downloading the image from the GD transferred to the POST library, and saving the image to the disk by the above library, since Images will not save anything. Maybe paranoid, but with the above. Htaccess gives a good result.
Source: https://habr.com/ru/post/82558/
All Articles