Securing apache upload folders

From Notes_Wiki

Home > CentOS > CentOS 6.x > Apache web server configuration > Securing apache upload folders

To secure apache upload folders from script execution use:

   php_flag engine off
   Options -ExecCGI

in a .htaccess file in the upload folder.

This is important because apache treats .php.jpeg extension as an executable file. So if upload code checks for files ending with .jpeg then attacker can upload his/her code easily and then execute desired commands.

For extreme protection set permissions on .htaccess file such that apache user through which apache is running. This would cause apache to generate =500 Internal Server Error= whenever the directory is accessed. This method is future proof and protects against all languages and not just php.



Home > CentOS > CentOS 6.x > Apache web server configuration > Securing apache upload folders