• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 721
  • Last Modified:

777 Stop Script Execution

I have a directory which is 777 permissions because otherways I can't upload images to it via the php web browser form. Our script that does the uploading checks for script files (actually it explicitly allows certain files that way we dont miss some on the block side). I'd like to stop scripts from executing from the directory. I tried setting the permissions to 776 but then the images that need to display on the site dont show up. I tried creating an htaccess file:

<Files ~ "\.(php|php3|php4|phps|phtml|shtm|shtml|cgi|pl|pm|asp|cfm|js|jse|jsp|jar|py|exe|com|bat|dll|pif|scr|reg|inf)$">
order allow,deny
deny from all
</Files>

and it didn't work... so I tried...
AddType text/plain .php
AddType text/plain .php3
AddType text/plain .php5
AddType text/plain .cgi
AddType text/plain .net
AddType text/plain .asp

and still nothing... Thoughts? We have a bunch of sites using this script and structure so I'm looking for a solution which I can just upload a new htaccess or change the chmod or something. I dont want to have to update a wack load of my scripts.
0
phenixfilms
Asked:
phenixfilms
  • 4
  • 3
1 Solution
 
theevilwormCommented:
Change the owner and the group of that directory to the user the web server is running under.
on debian it's www-data, not sure about other distributions.
0
 
phenixfilmsAuthor Commented:
could a user not still somehow get a script file onto the server in that directory and execute it ?
0
 
theevilwormCommented:
I think i misunderstood the initial question, i thought that you meant executable as in executable from console.

add these lines into your .htaccess in that directory:
<Files ~ "\.(php|php3|php4|phps|phtml|shtm|shtml|cgi|pl|pm|asp|cfm|js|jse|jsp|jar|py|exe|com|bat|dll|pif|scr|reg|inf)$">
ForceType text/plain
</Files>

also, set the dir permissions to 775 and change the owner to the user the web server is running under. your scripts will be able to write files into that directory but other users won't (except for the users in the same group as the web server user)
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
phenixfilmsAuthor Commented:
For some reason that htaccess file didn't do anything... my host says:

You can always place mod security rules in the directory since it's running on the box. Unfortunately I'm not familiar with the creation of rules as we just use pre-made rulesets. If you decide to go this route, we're using modsec1.x not 2.x
0
 
theevilwormCommented:
Is the .htaccess file interpreted by apache?

In your virtual host definition (or base configuration if you're not using virtual hosts) add this line.
    <Directory /path/to/upload/dir>
        AllowOverride All
    </Directory>

This will enable .htaccess file functionality in that directory. Replace /path/to/upload/dir with the real full path of the directory you are uploading to.
0
 
phenixfilmsAuthor Commented:
I tried,

<Files ~ "\.(php|php3|php4|phps|phtml|shtm|shtml|cgi|pl|pm|asp|cfm|js|jse|jsp|jar|py|exe|com|bat|dll|pif|scr|reg|inf)$">
ForceType text/plain
</Files>

and it gives me a 500 error and then no images display from that directory on the rest of the site.  I tried the virtual host definition and it didn't make a difference. The server is reading the htaccess file because of I have a register globals setting and it works.

Another site of mine was hacked by placing scripts in a 777 folder though there is no upload form on the site. I'm curious how they were able to place files into it. Obviously this is a big security issue for me.
0
 
theevilwormCommented:
What apache version are you using?
The ForceType directive placed in <File> with the regex you specified works correctly on Apache 2.0 and 2.2 (i don't have any 1.3 instalation that i can test on). Are there any other entries in that .htaccess file?

the fact the the directory is 777 has nothing to do with php files placed there beeing executed. apache will run any php file it can read and will write files anywhere it's allowed to.

if ForceType is the directive causing the 500 error, there are other ways to stop parsing php files.
place these in the .htaccess file in the upload dir:
RemoveHandler .php
RemoveType .php

these will stop php parsing in that dir for any apache version for both shared module and cgi usage of php.

I cannot help you with your other issue without more details. You most likely have other security holes in your application if attackers managed to upload files without you application having that ability.  Are there any scripts that do allow uploading of files and are accessible directly trough apache even though they are not directly linked from your main pages? Do any of your scrips still have the upload functionality but the upload form not displayed? I've seen cases where a feature would be disabled by surrounding it in html comments which would still be available to direct calls.
Has your server been compromised in a way that allows the attackers console access to it? if so, uploaded php files parsing is probably the least of your worries.

Why don't you simply prevent users from uploading files with the .php extension? also, you don't need to allow everyone to write to the upload dir, the apache user and group write permissions are enough as long as the directory belongs to the apache user or apache belongs to the same group as the directory belongs to.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now