-2

I am trying to build a website on which users are able to upload e.g. HTML and PHP files. I want to prevent hackers to view those PHP files (might be a PHP shell hack) and instead only allow downloading them (like 4shared). But I am not sure if the following code in my .htaccess file solves the problem. I mean it forces the browser to download the file, but is there—by any chance—the possibility that a hacker might overcome the .htaccess configuration and view execute the PHP files?

<Files *.php>
    ForceType application/octet-stream
    Header set Content-Disposition attachment
</Files>
AstroCB
  • 12,337
  • 20
  • 57
  • 73
KISKING
  • 33
  • 1
  • 7
  • 2
    Do not allow others to upload PHP files. Period. – hek2mgl Jan 12 '15 at 14:12
  • 1
    It is a valid requirement for a software to allow upload of arbitrary files. At the end of the day it is simply a text file, but of course it depends on what you do with it. ;) – Fleshgrinder Jan 12 '15 at 14:15
  • I'd be having the uploads go somewhere like Amazon S3 rather than your own server, to be absolutely freaking certain it won't do anything. – ceejayoz Jan 12 '15 at 14:18

2 Answers2

1

With view you mean execute?

See this answer. The best way is to tell apache to not execute PHP in that directory by adding php_flag engine off to the .htaccess file for your uploads directory. In order to prevent executing using a shell injection make sure all the files in the directory are chmodded 666.

Community
  • 1
  • 1
Sander Toonen
  • 3,463
  • 35
  • 54
  • Why permissions of 666? Surely 644/664? – arco444 Jan 12 '15 at 14:12
  • Depends, if you trust the users on your server `666` is fine, if not you may need to tighten them (maybe even `660` or `640`). – Fleshgrinder Jan 12 '15 at 14:13
  • Well it depends on who owns the files, but the webserver should be able to write (and maybe delete) the files when it is an upload service. But when the owner is for instance ````you:www-data```` you are absolutely right, and 664 is enough. – Sander Toonen Jan 12 '15 at 14:14
  • How to add php_flag engine off in a specific directory ? By adding a .htacces in that directory and simply writing the code ? – KISKING Jan 12 '15 at 14:16
  • Yes, or you can add it to the Directory directive of your Apache virtualhost config. The first option is simpler indeed, but make sure you don't enable users to deleting the .htaccess file by something you code in PHP. – Sander Toonen Jan 12 '15 at 14:22
  • thanks i figured and it worked , but now it is displaying the html text , how to fix it. Is that harmfull ? – KISKING Jan 12 '15 at 14:25
  • plus please also do tell how to put this code in httpd.conf , for the location /download/web/ will this work php_flag engine off – KISKING Jan 12 '15 at 14:26
  • of course php_flag is not guaranteed to work, you better test this before you rely on it and if you're not the server admin, you better hope that your hoster doesn't decide to switch from mod_php to fastcgi without you noticing it. – mmgross Jan 12 '15 at 14:27
  • Add the lines from your original question as well in order to force a download. – Sander Toonen Jan 12 '15 at 14:34
0

This answer assumes you mean execute when you say view.

First off, the safest way to prevent php from being executed is to actually turn it off. As suggest in a previous answer, php_flag engine off is one way of doing that, but as far as I know that may not work, if PHP is invoked via fastcgi. You can use the RemoveHandler Directive, but you have to make sure, you catch all file extensions for which php has been defined, this is not necessarily limited to *.php.

This answer suggest, you should put the following code in your .htaccess:

<Files *>
    SetHandler default-handler
</Files>

But there's still one problem: If you allow people to upload any file, they can upload their own .htaccess and overwrite whatever you have put in yours.

If you are the server admin, there are 2 possible solutions for that: You can disable php altogether by not including the module at all, but that means you'd have no php server-wide and that may not be what you want. Or you could use AllowOverride None to disable .htaccess files for your upload folder, but I think that only works in the server config and not in another .htaccess so you could put this in your httpd.conf:

<Directory /path/to/your/upload/folder>
        #To ignore uploaded .htaccess:
        AllowOverride None
        <Files *>
                SetHandler default-handler
        </Files>
</Directory>

Of course you have to change the path. The answer I linked above suggests an even more extensive approach, maybe you should have a look that too. (I know links are difficult to see here, so here's the full url, just in case: Disable all CGI (php, perl, …) for a directory using .htaccess )

So, if you're not the server admin, you're probably safest if you either disallow certain file types, file names or rename every uploaded file with a chosen prefix or suffix, that you remove in a script or with mod_rewrite before a user downloads the file again.

Community
  • 1
  • 1
mmgross
  • 3,064
  • 1
  • 23
  • 32
  • I am server admin but i wont allow the users to upload .htaccess . pluss please tell me what code should i put in the httpd.conf file isntead putting it in .htaccess – KISKING Jan 12 '15 at 14:32