Securing apache upload folders
From Notes_Wiki
<yambe:breadcrumb>Apache_web_server_configuration|Apache web server configuration</yambe:breadcrumb>
Securing apache upload folders
To secure apache upload folders from script execution use:
php_flag engine off Options -ExecCGI
in a .htaccess file in the upload folder.
This is important because apache treats .php.jpeg extension as an executable file. So if upload code checks for files ending with .jpeg then attacker can upload his/her code easily and then execute desired commands.
For extreme protection set permissions on .htaccess file such that apache user through which apache is running. This would cause apache to generate =500 Internal Server Error= whenever the directory is accessed. This method is future proof and protects against all languages and not just php.