On Tue, Oct 02, 2007 at 03:34:09PM +0100, Mark Rogers wrote:
Brett Parker wrote:
Can I make the simple assumption that in this case, by "script" you mean a chunk of php?
Yes, although in practise anything that's being run via an Apache Handler would qualify, for the following reason:
If it was a "real" script then ExecCGI would have needed to be turned on, and it'd have needed to be marked as executable... so I'm fairly confident that it won't have been that...
:-)
Anyways - what you want is...
<Directory /path/to/the/upload/directory> RemoveType .php .phtml .php3 .phps
</Directory>
Sorry, I should have been clearer: I'm looking for a way to do it automatically by virtue of the fact that the directory is writeable, otherwise it's relying on me (and other site admins who tend to worry more about "does it work" than "is it secure", as I've discovered to my cost!) to not screw things up.
Presumably, now I thing about it, it would be possible to do this via .htaccess files? At least that way a script could be written* that searched for writeable directories which did not contain .htaccess files and alerted me (or created them).
Bing bing bing bing... Err, well... that's not so good really is it... .htaccess files in the *writable* directory? ;)
Better to run a script that generates a file for apache's conf.d directory with the right set of directives in it...
So, *who* has write access to the directories is the obvious question, and then the next fun bit is to work out which files need to be roughly parsed in order to get the list of directories to search, and then after that needing to know all the modules that are enabled that could cause issues... (mod_php, mod_perl, mod_python, mod_blahdefoo) and have a snippet to disable them.
The script itself once the variables are out of the way is the easy part... ;)
Cheers,