[ALUG] Stopping Apache running scripts from writeable directories

Brett Parker iDunno at sommitrealweird.co.uk
Tue Oct 2 15:11:04 BST 2007


On Tue, Oct 02, 2007 at 02:44:02PM +0100, Mark Rogers wrote:
> Is it possible to prevent Apache from running a script from a writeable 
> directory?
> 
> It's common these days to have some writeable directories with (for 
> example) CMS packages like Joomla, which use them for uploaded images 
> etc. However I have a server that's been exploited through a badly 
> written plugin which used the normal upload mechanism to upload the 
> script, then ran the script directly via an HTTP request to the uploaded 
> file. That script was used to send spam, so despite the limited write 
> permissions it was restricted to it was still able to do a lot of harm.

Can I make the simple assumption that in this case, by "script" you mean
a chunk of php? If it was a "real" script then ExecCGI would have needed
to be turned on, and it'd have needed to be marked as executable... so
I'm fairly confident that it won't have been that...

Anyways - what you want is...

<Directory /path/to/the/upload/directory>
        RemoveType .php .phtml .php3 .phps
</Directory>

That should do it.

-- 
Brett Parker




More information about the main mailing list