digip Posted May 8, 2008 Posted May 8, 2008 I have a clients site whose server is vulnerable to the somefile.php.jpg executable attack due to the way his Apache server is configured. I fixed his upload scripts to strip out any code with ".php." in the uploaded file names, but I want to make sure there isn't any other way they can use this attack on the site. I don't have control panel or shell access to the site, just strictly FTP access. I want to know, is there a way to override the default Apache handler of "AddHandler x-httpd-php .php" (which is what causes the vulnerability) with "AddType x-httpd-php .php" using an htaccess file. I have been reading up on it, but it seems all documentation points to the servers config files. I am not 100% sure, but I think it can be done using a mod rewrite somehow in an htaccess file, but if so, I don't know how to format the override. Anyone have experience with this flaw and how to block it (short of sanitizing the upload scripts). I am thinking something along the lines of "RemoveHandler .php." or "RemoveType .php." Quote
SomeoneE1se Posted May 8, 2008 Posted May 8, 2008 I have a clients site whose server is vulnerable to the somefile.php.jpg executable attack due to the way his Apache server is configured. I fixed his upload scripts to strip out any code with ".php." in the uploaded file names, but I want to make sure there isn't any other way they can use this attack on the site. I don't have control panel or shell access to the site, just strictly FTP access. I want to know, is there a way to override the default Apache handler of "AddHandler x-httpd-php .php" (which is what causes the vulnerability) with "AddType x-httpd-php .php" using an htaccess file. I have been reading up on it, but it seems all documentation points to the servers config files. I am not 100% sure, but I think it can be done using a mod rewrite somehow in an htaccess file, but if so, I don't know how to format the override. Anyone have experience with this flaw and how to block it (short of sanitizing the upload scripts). I am thinking something along the lines of "RemoveHandler .php." or "RemoveType .php." don't piss around sanitize the damn upload script. Quote
digip Posted May 8, 2008 Author Posted May 8, 2008 I fixed his upload scripts to strip out any code with ".php." in the uploaded file names, but I want to make sure there isn't any other way they can use this attack on the site. I just wanted a way to force this site wide in the event that they figure out any other flaws with his site that I am not aware of.I am not a security expert, but I do know his site has some holes in it like swiss cheese. They managed to deface his site using a php script with "somefile.php.jpg" to overwrite his homepage. Now when they come back to the upload page it will not let this attack work and I have it set to alert me of their ip address when they upload anything with a ".php." in the file name. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.