16
Installation problems / Re: Block some extensions such as exe, bat, com in upload
« on: May 24, 2010, 07:26:36 pm »
I got this in my notes for a few years now, but can't remember where I got it from.
It relies on the .htaccess file so you need access to the server with high credentials.
This will not prevent to upload files, but will rename the files making them unusable online.
It relies on the .htaccess file so you need access to the server with high credentials.
This will not prevent to upload files, but will rename the files making them unusable online.
Quote
The technique supplied here will work for a variety of different file types once you understand why it works. In particular, you want to prevent PHP files from being uploaded, because these files might contain malicious code.Code: [Select]RewiteEngine On
RewriteCond %{REQUEST_METHOD} ^PUT$ [OR]
RewriteCond %{REQUEST_METHOD} ^MOVE$
RewriteRule ^/files/(.*)\.php /files/$1.nophp
Files that are uploaded to the /files section of our website (you’ll need to modify this to point to whatever portion of your site where you’re permitting upload) with a .php file extension are created instead with a .nophp file extension, rendering them inoperable. Likewise, if someone attempts to rename an existing file to have a .php extension, this rename operation will result in the file being renamed to have a .nophp extension instead. Many well-known exploits involve this type of two-step attack, where a file is first uploaded and then executed. Preventing the initial upload goes a long way toward completely blocking these types of attacks.