Restricting image directory script execution

[tvcnet]

Hi folks,
Just stumped on this one and wondering if we have any mod rewrite or .htaccess editing experts out there.

My goal is to have one entry in the public_html/.htaccess file which prevents scripts from executing within images directories (to keep the hackers out).

Placing a .htaccess file with the restrictions within each directory separately is easy to do (that's a non-issue), but my goal here is to do it account wide.

I tried the below but just can't seem to get it working:

<DirectoryMatch "^.+/images">
AllowOverride None
Addhandler text/plain .pl .cgi .php .py .jsp .asp .shtml .sh
php_admin_flag engine off
</Directory>

This is supposed to ensure all directories within account directories named /images will turn scripts into text so they wont' execute.

I suppose you can do the same with mod redirect but the thought gives me a headache...

Ideas?

Many thanks,
Jim

[reporter]

Hi folks,
Just stumped on this one and wondering if we have any mod rewrite or .htaccess editing experts out there.

My goal is to have one entry in the public_html/.htaccess file which prevents scripts from executing within images directories (to keep the hackers out).

Placing a .htaccess file with the restrictions within each directory separately is easy to do (that's a non-issue), but my goal here is to do it account wide.

I tried the below but just can't seem to get it working:

<DirectoryMatch "^.+/images">
AllowOverride None
Addhandler text/plain .pl .cgi .php .py .jsp .asp .shtml .sh
php_admin_flag engine off
</Directory>

This is supposed to ensure all directories within account directories named /images will turn scripts into text so they wont' execute.

I suppose you can do the same with mod redirect but the thought gives me a headache...

Ideas?

Many thanks,
Jim

http://forums.cpanel.net/f185/howto-...on-144341.html

[tvcnet]

Hi reporter,
Thank you for your reply though it's the wrong answer to my post (delete your post if possible please as it confuses my question).

Hopefully someone else will have an idea on how to use .htaccess to prevent scripts from running within every instance of a particular directory (like /images)?

Thanks,
Jim

[Secmas]

Maybe this is what you are looking for:

---+++ Preventing script execution in the pub directory
using .htaccess file

When you do not have access to the Apache config files
(typically with shared hosting and no root access) you will
control access to directories using .htaccess files. In the
root of the pub directory you must put a .htaccess file with
minimum this protection:

# Sample '.htaccess' file for 'pub' subdirectory

# Allow all access
Allow from all

# Deny people from looking at the index and running SSI and CGI
Options None

# We need to protect the entire pub directory tree against any
# kind of script execution. TWiki has a renaming protection
# scheme that alters certain file names to prevent script
# execution but it may not be 100% safe only to rely on this.
# The safest protection is to disabled all scripting.

# If you have PHP4 or PHP5 installed make sure the directive
# below is enabled. If you do not have PHP installed you will
# need to comment out the directory below to avoid errors:
php_flag engine off

# If you have PHP3 installed make sure the directive below is
# enabled:
#php3_engine off

# This line will redefine the mime type for the most common
# types of scripts. It will also deliver HTML files as if they
# are text files:
AddType text/plain .html .htm .shtml .php .php3 .phtml .phtm .pl .py .cgi

Regards,

Sergio

PS: The complete text can be read here: http://seclists.org/vulnwatch/2006/q3/2

[tvcnet]

Hi Sergio,
Your explanation is directory specific (so no it doesn't help answer my question).

Yes, I could put a .htaccess file into every of my 1000 images directories- that's not very efficient.

The goal is to have one .htaccess file in public_html, such that if a hacker uploads a PHP script in any of my 1000 images directories, the hack cannot run in any of the directory on the site.

Anyone else have an idea on this?

Something with mod rewrite or regex, etc. is likely the answer (but I'm not an expert in that so not sure how to set that up).

Many thanks,
Jim

[Spiral]

Better idea --- why don't you change from dso to either suphp or fcgi?

(RE: Everything you have written thus far above is for "dso" specifically)

[tvcnet]

Hi Spriral,
No, that's not an option. I have clients with different server types (other shared hosts).

This question is about developing a .htaccess that will prevent the execution of anything but images in all /images directores within a shared hosting account (whose account might be at any a 1000 hosting companies worldwide).

Best Wishes,
Jim

[Spiral]

No, that's not an option. I have clients with different server types (other shared hosts).

That statement made absolutely no sense to me whatsoever or the reasoning for not moving away from dso there.

I actually don't recommend that dso ever be used at all .... period.

Anyway though, your commands "php_flag" and "php_value" that you were trying to use in .htaccess would not work on other php systems.

This question is about developing a .htaccess that will prevent the execution of anything but images in all /images directores within a shared hosting account (whose account might be at any a 1000 hosting companies worldwide).

I understand the question but I see no logical value in that either ...

If the servers are properly secured and configured, you would only be able to run php scripts that have a .php extension and if you simply "deny from all" the file type in the folder, there you go.

Also just exactly how are they going to upload these files?

Is the scripts and programs you are using allowing uploads blindly without checking file types? That wouldn't seem particularly bright.

Also, most all "code execution and scripting in image" exploits are not done utilizing PHP code but rather almost always compiled binary and sometimes perl ---- really don't see php so much.

If the server is setup properly, wouldn't matter anyway as anything they upload wouldn't be able to execute or do anything anyway though.

But back to the original point --- "deny from all"

Just deny access to the file type and make sure any apps that allow file uploads do proper content, filename, and filetype checks.

[tvcnet]

Hi Spiral,
You miss-read my original post. I'm not the server admin for ever hosting company on the Planet. I have no way to update a web hosting company's web servers.

The goal is to have one .htaccess file in public_html, such that if a hacker uploads a PHP script in any of my 1000 images directories, the hack (php, javascript, etc.) cannot run within any of the directory on the site.

Something with mod rewrite or regex within a .htaccess file is likely the answer (but I'm not an expert in mod rewrite or regex so not sure how to set that up).

Anyone else have an idea on this?

Many thanks,
Jim

[Spiral]

Actually I think you got that the other way around a bit ....

The side trivia on dso is the one and only thing that I said which would have any bearing to any kind of server administrator access.

The comments on the "deny from all" for your script file types is something that you would put in your .htaccess file that any end user can do and doesn't require any kind of administrator access --- just simply access to the hosting account and nothing more.