Simple htaccess file to disallow script execution

Industriality · #1 (**permalink**) 09-03-06, 01:04 AM

I have a writable folder on my server (Linux, Apache) to allow users to upload JPG files. What I want to do is use an .htaccess file to prevent any script execution in that folder, just in case someone is able to upload a PHP script instead of a JPG, for example. Any idea how to do that with htaccess? Thanks.

Industriality · #2 (**permalink**) 09-03-06, 01:21 AM

Well, after searching more, I found a functional way of doing it, but it's a pretty ridiculous hack and I can't recommend anybody actually use it. You'll be able to see easily that I just copied and pasted part of someone else's htaccess file.

The result is that all php files (presumably without "chat" in the filename) get redirected to a nonexistant file, 404.php, with some arguments at the end. Since this file does not exist on the server, any PHP files executed in the folder where this .htaccess file resides will not actually be executed, but will return a 404 not found error.

If someone has a more logical approach to this, please let me know. Here is the functional code:

Code:

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !chat
RewriteRule ^(.*.php)$ 404.php?vbseourl=$1&%{QUERY_STRING} [L]

An ideal .htaccess file for me would be to disallow ANY files to execute no matter what their extension. The folder will only be used for JPGs and should only allow real JPG files to be loaded in a browser.

curbview.com · #3 (**permalink**) 09-03-06, 02:42 PM

Quote:

Originally Posted by Industriality

An ideal .htaccess file for me would be to disallow ANY files to execute no matter what their extension. The folder will only be used for JPGs and should only allow real JPG files to be loaded in a browser.

Why use an .htaccess file? Simply test the file that is being upload and verify that it is indeed a .jpeg file. If you use Imagemagick, there is a built in function for this.

Hope this helps!

mab · #4 (**permalink**) 09-03-06, 02:54 PM

I believe folder permissions would also be helpful. For example 0777 is read, write, and execute. 0666 is read and write only.

Industriality · #5 (**permalink**) 09-03-06, 04:54 PM

First, thanks to both responses.

curbview, I don't have control over the php file(s) that handle the uploads, plus I've had cases of remote scripting being able to upload files to writable folders without an upload php file on the server, so using an .htaccess file would cover both bases without the need to touch any php files.

mab, permissions must be set to 0777 for the folder to accept the JPG uploads. I can't change that. I imagine the upload script could change the permissions of the folder to 0777 before upload, then change back to 0666 when upload is complete, but again I'd prefer not to have to touch the php file(s) themselves. Having an .htaccess file that I could place in all of my writable folders which prevents script execution would be very useful.

Do you see any drawbacks to the somewhat strange way I did it in my second post? Besides throwing off my 404 Not Found logs?

curbview.com · #6 (**permalink**) 09-03-06, 05:39 PM

Quote:

Originally Posted by Industriality

First, thanks to both responses.
permissions must be set to 0777 for the folder to accept the JPG uploads. I can't change that.

*ANY* web site that has a folder set to 777 is hackable. It will not matter what kind of .htaccess file you have in that folder as with the permissions being 777, I can remotely destroy that file, delete it or whatever else I would like to do.

Folders with permissions set to 777 is like putting a dead-bolt lock on the front door but leaving all the ground floor windows wide open. In this example:

dead-bolt lock = .htaccess file
ground floor windows = 777 chmod folder

777 = the entire world may edit, delete, upload a file (BIG SECURITY EXPLOIT)
755 = the entire world may read & execute the file
644 = the entire world may read the file

All this to say that a properly written script should be able to accept file uploads. The script (if the permissions were set correctly on the script itself) should now be able to add the file uploaded to the folder. *every* directory that is available for the public to access should have permissions set no higher than 644 orther than the CGI-BIN which should be set to 755. If you are on a server that requires the cgi-bin to be chmod'd to 775, LEAVE THAT COMPANY as that means (775) that anyone who has an account on that server can access that folder with read, write, execute permissions.

Industriality · #7 (**permalink**) 09-03-06, 07:58 PM

Is there an article or quick reference I can read on how to allow file uploads and create log files in folders that are not 777? I have been following the simple instructions provided by public PHP apps and many of them say to leave folders set to 777 or they won't be writable. What you're saying is new to me and I'd love to avoid cross-server scripting hacks, and I'd love to avoid having to manually CHMOD folders to 777 all the time.

Thanks!

curbview.com · #8 (**permalink**) 09-03-06, 08:02 PM

Google is your friend.
http://www.google.com/search?sourcei...=CHMOD+folders

Industriality · #9 (**permalink**) 09-03-06, 08:45 PM

Google is trying only to teach me how to CHMOD. That's not helpful.

I'm wondering if PHP's function CHOWN has anything to do with this. Nothing on the server seems to allow file uploads or even writing a new TXT file with PHP unless the containing folder is 777. Could that be because PHP's user is different than the folder's owner?

I've used many different servers and often come up against things not working unless I CHMOD to 777, but if I can CHOWN a folder to use PHP's user as it's owner, maybe I can leave a folder's permissions to 644 and still be able to write and upload to those folders. Any ideas?

Industriality · #10 (**permalink**) 09-03-06, 08:56 PM

Nevermind. Running CHOWN from PHP gives me "Operation not permitted". I'm still left with a non-functional upload script unless I CHMOD the upload folder to 777.