[ALUG] Stopping Apache running scripts from writeable directories
ddryden at gmail.com
Tue Oct 2 15:03:36 BST 2007
Maybe im just being naive but couldn't you just check the file
extension/mime type to make sure uploads are images, and not allow execution
rights on uploads?
On 10/2/07, Mark Rogers <mark at quarella.co.uk> wrote:
> Is it possible to prevent Apache from running a script from a writeable
> It's common these days to have some writeable directories with (for
> example) CMS packages like Joomla, which use them for uploaded images
> etc. However I have a server that's been exploited through a badly
> written plugin which used the normal upload mechanism to upload the
> script, then ran the script directly via an HTTP request to the uploaded
> file. That script was used to send spam, so despite the limited write
> permissions it was restricted to it was still able to do a lot of harm.
> Any of my own code which requires this always puts the writeable
> directories outside docroot but that doesn't seem to be an option with
> Joomla and others like her. I appreciate that they could still be
> "included" through abuse of a badly written script in a read-only
> directory, but that's at least an order of magnitude harder.
> I know that the ability to upload new templates/plugins/etc would break
> if I achieve what I'm asking, but it's no big deal having a script which
> adds temporary write permissions whilst installing a module and removes
> them afterwards. Allowing end users to upload avatars and other images
> seems to be the way of the world these days though.
> Mark Rogers // More Solutions Ltd (Peterborough Office) // 0845 45 89 555
> Registered in England (0456 0902) at 13 Clarke Rd, Milton Keynes, MK1 1LG
> main at lists.alug.org.uk
> Unsubscribe? See message headers or the web site above!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the main