On Tue, Oct 02, 2007 at 02:44:02PM +0100, Mark Rogers wrote:
Is it possible to prevent Apache from running a script from a writeable directory?
It's common these days to have some writeable directories with (for example) CMS packages like Joomla, which use them for uploaded images etc. However I have a server that's been exploited through a badly written plugin which used the normal upload mechanism to upload the script, then ran the script directly via an HTTP request to the uploaded file. That script was used to send spam, so despite the limited write permissions it was restricted to it was still able to do a lot of harm.
Can I make the simple assumption that in this case, by "script" you mean a chunk of php? If it was a "real" script then ExecCGI would have needed to be turned on, and it'd have needed to be marked as executable... so I'm fairly confident that it won't have been that...
Anyways - what you want is...
<Directory /path/to/the/upload/directory> RemoveType .php .phtml .php3 .phps </Directory>
That should do it.