The Community Forums

Interact with an entire community of cPanel & WHM users.
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Preventing .php.jpg files from being executed

Discussion in 'Security' started by canfone, Apr 3, 2011.

  1. canfone

    canfone Active Member

    Joined:
    Aug 15, 2003
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Montreal
    We are looking into how to prevent php from executing filename.php.jpg files

    per this issue here:

    #11122 (Sanitize filenames with multiple extensions)

    In the :

    /usr/local/apache/conf/php.conf

    Instead of using

    AddType application/x-httpd-php .php4 .php .php3 .php2 .phtml


    Is it prefferiable to do this:?

    <FilesMatch \.php$>
    SetHandler application/x-httpd-php
    </FilesMatch>


    Should this be standardized with cPanel's auto generated php.conf file?
     
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    What set handler are you using on the machine? I tested this on a machine using suPHP and the page called php.php.jpg didn't return the PHP content. As such, have you confirmed this behavior on the newest PHP 5.3 on your machine as happening? You can determine your handler with the following command:

    Code:
    /usr/local/cpanel/bin/rebuild_phpconf --current | grep -i 'php4\|php5'
     
Loading...

Share This Page