Restricting PHP file names

[M001]

Hi all,

Lately I've been having some security issues with a software I am using, I believe the software might have some type of exploit that allows files to be uploaded to it's root directory. I don't want to say the name of the software at this point until that vendor has fully checked into it, but as a temporary solution I thought it might be possible to restrict file names of PHP files that are allowed to run under my cpanel account. Is this possible?

i.e. if the attacker does upload a file called "shell.php", they won't be able to run it if it doesn't match a file name in the list of allows PHP files

 

[cPanelMichael]

Hello

It might be possible, but I don't really think it would be an effective way of mitigating an attack. Instead, you should ensure Mod_Security is installed with a robust ruleset, and ensure overall security is increased by reviewing any warnings in the "Security Advisor" option within WHM. If it's an exploit within a script, check with the developer to see if a patch is available until a new release is pushed out.

Thank you.

 

[quizknows]

A good modsecurity rule set will help.

You can deny a specific file name with a very basic modsecurity rule:

SecRule REQUEST_URI "shell\.php" "id:2923545,deny"

You could make additional rules; each needs a unique number after id:

 

[M001]

I am having the developer/vendor check into it, but I want to continue using the software so I don't have any downtime. I thought about making rules that would block certain file names, but all they would have to do is rename the file, which is why I wanted to block all except the permitted file names. Is there any other ideas for this temporary fix? I currently do have mod_security installed for other things, but I don't know how to write many rules.

 

[quizknows]

You could do it but it would be a pretty ugly rule. Better to properly investigate the point of entry at this point.