[ALUG] Stopping Apache running scripts from writeable directories

Dennis Dryden ddryden at gmail.com
Tue Oct 2 15:03:36 BST 2007


Maybe im just being naive but couldn't you just check the file
extension/mime type to make sure uploads are images, and not allow execution
rights on uploads?

Dennis


On 10/2/07, Mark Rogers <mark at quarella.co.uk> wrote:
>
> Is it possible to prevent Apache from running a script from a writeable
> directory?
>
> It's common these days to have some writeable directories with (for
> example) CMS packages like Joomla, which use them for uploaded images
> etc. However I have a server that's been exploited through a badly
> written plugin which used the normal upload mechanism to upload the
> script, then ran the script directly via an HTTP request to the uploaded
> file. That script was used to send spam, so despite the limited write
> permissions it was restricted to it was still able to do a lot of harm.
>
> Any of my own code which requires this always puts the writeable
> directories outside docroot but that doesn't seem to be an option with
> Joomla and others like her. I appreciate that they could still be
> "included" through abuse of a badly written script in a read-only
> directory, but that's at least an order of magnitude harder.
>
> I know that the ability to upload new templates/plugins/etc would break
> if I achieve what I'm asking, but it's no big deal having a script which
> adds temporary write permissions whilst installing a module and removes
> them afterwards. Allowing end users to upload avatars and other images
> seems to be the way of the world these days though.
>
> --
> Mark Rogers // More Solutions Ltd (Peterborough Office) // 0845 45 89 555
> Registered in England (0456 0902) at 13 Clarke Rd, Milton Keynes, MK1 1LG
>
>
> _______________________________________________
> main at lists.alug.org.uk
> http://www.alug.org.uk/
> http://lists.alug.org.uk/mailman/listinfo/main
> Unsubscribe?  See message headers or the web site above!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.alug.org.uk/pipermail/main/attachments/20071002/9e78f235/attachment.htm 


More information about the main mailing list