The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Restricting image directory script execution

Discussion in 'Security' started by tvcnet, Mar 19, 2010.

  1. tvcnet

    tvcnet Well-Known Member
    PartnerNOC

    Joined:
    Aug 15, 2003
    Messages:
    116
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    San Diego
    cPanel Access Level:
    DataCenter Provider
    Hi folks,
    Just stumped on this one and wondering if we have any mod rewrite or .htaccess editing experts out there.

    My goal is to have one entry in the public_html/.htaccess file which prevents scripts from executing within images directories (to keep the hackers out).

    Placing a .htaccess file with the restrictions within each directory separately is easy to do (that's a non-issue), but my goal here is to do it account wide.

    I tried the below but just can't seem to get it working:

    <DirectoryMatch "^.+/images">
    AllowOverride None
    Addhandler text/plain .pl .cgi .php .py .jsp .asp .shtml .sh
    php_admin_flag engine off
    </Directory>

    This is supposed to ensure all directories within account directories named /images will turn scripts into text so they wont' execute.

    I suppose you can do the same with mod redirect but the thought gives me a headache...

    Ideas?

    Many thanks,
    Jim
     
  2. reporter

    reporter Active Member

    Joined:
    Jul 23, 2009
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    http://forums.cpanel.net/f185/howto-disable-execute-cgi-script-other-extention-144341.html
     
  3. tvcnet

    tvcnet Well-Known Member
    PartnerNOC

    Joined:
    Aug 15, 2003
    Messages:
    116
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    San Diego
    cPanel Access Level:
    DataCenter Provider
    Hi reporter,
    Thank you for your reply though it's the wrong answer to my post (delete your post if possible please as it confuses my question).

    Hopefully someone else will have an idea on how to use .htaccess to prevent scripts from running within every instance of a particular directory (like /images)?

    Thanks,
    Jim
     
  4. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    321
    Likes Received:
    0
    Trophy Points:
    16
    Maybe this is what you are looking for:

    Regards,

    Sergio

    PS: The complete text can be read here: http://seclists.org/vulnwatch/2006/q3/2
     
    #4 Secmas, Mar 21, 2010
    Last edited: Mar 21, 2010
  5. tvcnet

    tvcnet Well-Known Member
    PartnerNOC

    Joined:
    Aug 15, 2003
    Messages:
    116
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    San Diego
    cPanel Access Level:
    DataCenter Provider
    Hi Sergio,
    Your explanation is directory specific (so no it doesn't help answer my question).

    Yes, I could put a .htaccess file into every of my 1000 images directories- that's not very efficient.

    The goal is to have one .htaccess file in public_html, such that if a hacker uploads a PHP script in any of my 1000 images directories, the hack cannot run in any of the directory on the site.

    Anyone else have an idea on this?

    Something with mod rewrite or regex, etc. is likely the answer (but I'm not an expert in that so not sure how to set that up).

    Many thanks,
    Jim
     
    #5 tvcnet, Mar 21, 2010
    Last edited: Mar 21, 2010
  6. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    Better idea --- why don't you change from dso to either suphp or fcgi?

    (RE: Everything you have written thus far above is for "dso" specifically)
     
  7. tvcnet

    tvcnet Well-Known Member
    PartnerNOC

    Joined:
    Aug 15, 2003
    Messages:
    116
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    San Diego
    cPanel Access Level:
    DataCenter Provider
    Hi Spriral,
    No, that's not an option. I have clients with different server types (other shared hosts).

    This question is about developing a .htaccess that will prevent the execution of anything but images in all /images directores within a shared hosting account (whose account might be at any a 1000 hosting companies worldwide).

    Best Wishes,
    Jim
     
  8. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    That statement made absolutely no sense to me whatsoever or the reasoning for not moving away from dso there.

    I actually don't recommend that dso ever be used at all .... period.

    Anyway though, your commands "php_flag" and "php_value" that you were trying to use in .htaccess would not work on other php systems.

    I understand the question but I see no logical value in that either ...

    If the servers are properly secured and configured, you would only be able to run php scripts that have a .php extension and if you simply "deny from all" the file type in the folder, there you go.

    Also just exactly how are they going to upload these files?

    Is the scripts and programs you are using allowing uploads blindly without checking file types? That wouldn't seem particularly bright.

    Also, most all "code execution and scripting in image" exploits are not done utilizing PHP code but rather almost always compiled binary and sometimes perl ---- really don't see php so much.

    If the server is setup properly, wouldn't matter anyway as anything they upload wouldn't be able to execute or do anything anyway though.

    But back to the original point --- "deny from all"

    Just deny access to the file type and make sure any apps that allow file uploads do proper content, filename, and filetype checks.
     
  9. tvcnet

    tvcnet Well-Known Member
    PartnerNOC

    Joined:
    Aug 15, 2003
    Messages:
    116
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    San Diego
    cPanel Access Level:
    DataCenter Provider
    Hi Spiral,
    You miss-read my original post. I'm not the server admin for ever hosting company on the Planet. I have no way to update a web hosting company's web servers.

    The goal is to have one .htaccess file in public_html, such that if a hacker uploads a PHP script in any of my 1000 images directories, the hack (php, javascript, etc.) cannot run within any of the directory on the site.

    Something with mod rewrite or regex within a .htaccess file is likely the answer (but I'm not an expert in mod rewrite or regex so not sure how to set that up).

    Anyone else have an idea on this?

    Many thanks,
    Jim
     
    #9 tvcnet, Mar 21, 2010
    Last edited: Mar 21, 2010
  10. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    Actually I think you got that the other way around a bit ....

    The side trivia on dso is the one and only thing that I said which would have any bearing to any kind of server administrator access.

    The comments on the "deny from all" for your script file types is something that you would put in your .htaccess file that any end user can do and doesn't require any kind of administrator access --- just simply access to the hosting account and nothing more.
     
Loading...
Similar Threads - Restricting image directory
  1. Avensen
    Replies:
    3
    Views:
    677
  2. Jonathan V. R. Balmant
    Replies:
    3
    Views:
    344

Share This Page