Disable PHP execution in one directory

Question

In order to prevent PHP local file inclusion attacks I want to disable the execution of all PHP files in one directory completely. Using the line php_flag engine off within the .htcaccess file will cause a 500 error. According to another question this is due to the way PHP is installed.

Is there any other way to prevent PHP execution if the PHP installation cannot be altered?

Update: The files don't neccessarily have the .php ending.

So what do you want to happen when a user accesses a PHP file in that directory? Have it served back as if it's a plain text file? — rickdenhaan, May 07 '17 at 17:55
The files can't be accessed directly by the user anyway. I just want to prevent any execution of all files (not just those with .php endings) in addition to that so they can't be executed from another php file either. — kot, May 08 '17 at 15:28

score 2 · Answer 1 · answered May 07 '17 at 17:56

2

Add this to your .htaccess file

<FilesMatch \.php$>
    SetHandler None
</FilesMatch>

answered May 07 '17 at 17:56

Agam Banga

2,708
1
11
18

Note that this (only) prevents code execution if the `.php` file is requested directly over HTTP. It doesn't necessarily prevent PHP files from being executed in that directory if they are `include()`'d or called by some other script on the server. – MrWhite May 07 '17 at 20:33
I updated my question so it's clear that the files don't have the php ending. Could this answer be modified to remove all handlers from the files? The only things I want to do with the files are creating, reading and deleting them. They shouldn't be accessible or executable in any way. – kot May 08 '17 at 15:32
PHP is interpreted, not compiled -- so there's no difference between readable and executable. – Alex Howansky May 08 '17 at 15:55
Well the difference is that the interpreter needs to process them... which is what I want to prevent entirely. – kot May 09 '17 at 14:42
There is no difference between being able to read a file and being able to process a file through the interpreter. You can not allow one and prevent the other. – Alex Howansky May 09 '17 at 14:51

score 0 · Answer 2 · answered May 07 '17 at 18:26

0

You're building your site via "allow all, then deny" logic. You should build it with "deny all, then allow" logic. For example, you're telling Apache to serve all files a particular directory and then you're overriding that config to tell Apache to not serve some files in that directory. I.e., you probably have something like this:

<VirtualHost *:80>
    ServerName foo.com
    DocumentRoot "/path/to/files"
</VirtualHost>

With a directory layout like this:

/path/to/files
    index.php
    config.php
/path/to/files/lib
    db.php
    etc.php
    other_thing.php

With this setup, anybody can request http://foo.com/config.php or http://foo.com/lib/etc.php directly, which is what you're trying to prevent. Rather than adding individual exceptions for everything you want to deny, start the other way around. I.e., if you have files that you don't want to be served, then don't put them in the document root.

<VirtualHost *:80>
    ServerName foo.com
    DocumentRoot "/path/to/files/public"
</VirtualHost>

Note the DocumentRoot is now set to a subdirectory within your project. Put only your public assets in this directory. All other files go outside (i.e., above) public, and thus can not be served by Apache, while still allowing PHP to include them.

/path/to/files
    config.php
/path/to/files/lib
    db.php
    etc.php
    other_thing.php
/path/to/files/public
    index.php

answered May 07 '17 at 18:26

Alex Howansky

50,515
8
78
98

Thanks, but I don't think this solves the problem of inclusion by other php files. I don't just want to stop the public access, I already did that. I explicitly want to prevent the php files from beeing executed (e.g. through 'include()' by other php files) – kot May 08 '17 at 15:38
You can't do that. They need to be readable in order to run in your app. – Alex Howansky May 08 '17 at 15:40
I don't want them to run in my app – kot May 09 '17 at 14:40
If your app doesn't need them, then just delete them. – Alex Howansky May 09 '17 at 14:42
I do need them, it's user uploaded content – kot May 09 '17 at 14:58
1

If your app needs to read them, then you can not prevent PHP from trying to execute them from an include(). If you want to avoid the possibility of them being executed, then put them on static server (or vhost) that doesn't have PHP installed. – Alex Howansky May 09 '17 at 15:04

score 0 · Answer 3 · answered Jun 29 '22 at 05:43

To protect your website from backdoor access files, you need to create a .htaccess file and upload it to your site’s desired directories.

Create a blank file named .htaccess and paste the following code inside it.

    <Files *.php>
    deny from all
    </Files>

Eyy · Answer 4 · 2017-05-09T16:55:20.497

-2

Add this below the <?php header, this will prevent a direct execution of php

defined('BASEPATH') OR exit('No direct script access allowed');

edited May 09 '17 at 16:55

answered May 07 '17 at 17:56

Eyy

135
1
9

This (or Similiar code) is good for libraries and include files. But it does not help if the files are user generated content (which is the normal case why you want to turn the PHP Händler off). – eckes May 07 '17 at 18:01
Why not include this on generated content. He's asking if theres "Other way" to prevent PHP execution. – Eyy May 07 '17 at 18:06
1

Because it is somewhat hard to tell an attacker to only upload PHP scripts which cannot be executed - I guess. – eckes May 07 '17 at 18:07

Disable PHP execution in one directory

4 Answers4