prevent upload php script to be executed

Question

I have a system where user pay for support, each user have a folder. I have many (like 200+) sub folderד in my website, each of these needs the CSS, images, JS etc...

I also create folders every week for new users when they register, each user can upload PHP script or JS script or images. (screenshot of their problem)

My problem is: in my /.htacess, I have a rule that checks for PHP script and redirects to the proper page e.g. site.com/user/page will go to site.com/user/page.php

What I want to do is prevent the user from breaking the system, for example by:

site.com/user/upload/test will go to his test.php and run it.

How can I prevent these kind of attacks?

Answer 1

Please remember that Apache might have more extensions to handle by PHP type handler, and it indeed has. Here is the .htaccess content that works fine for our server.

<FilesMatch "(?i)\.(php5|php4|php|php3|php2|phtml|pl|py|jsp|asp|htm|shtml|sh|cgi)$">
    ForceType text/plain
</FilesMatch>

It is working fine for us.

Answer 2

Block access to PHP files in you htaccess, put this file inside the folder you want to block files:

<Files ^(*.php|*.phps)>
    order deny,allow
    deny from all
</Files>

Or in root .htaccess file you can:

<Directory ^user/upload>
    <Files ^(*.php|*.phps)>
        order deny,allow
        deny from all
    </Files>
</Directory>

Will block access to all php files inside the user/upload folder, even if mod_rewrite is used.

But, if you want to keep the .php files accessible for download and don't want they execute it, you can use this on .htaccess:

<FilesMatch "(.+)$">
    ForceType text/plain
</FilesMatch>

All files in the folder will return as text/plain. You can bind this in the Directory tag to get a similar result of deny access from the second example.

You also can chose the file extensions you want to delivery as text/plain:

<FilesMatch "\.(php|pl|py|jsp|asp|htm|shtml|sh|cgi.+)$">
    ForceType text/plain
</FilesMatch>

Answer 3

My problem is: in my /.htacess, I have a rule that checks for PHP script and redirects to the proper page e.g. site.com/user/page will go to site.com/user/page.php

Why not just create the users page as site.com/user/page/index.php ?

site.com/user/upload/test will go to his test.php and run it

Then your rewrite rule is wrong - but you didn't show us what it is. Also your code for handling file uploads is wrong - and its not just PHP which is the problem - you could be acting as a mule site for all sorts of malware.

When allowing users to upload content, you should never store it in such a way that it is directly addressable by the webserver (except maybe for very large files of very specific and VERIFIED file types - such as videos). All access should be mediated by a control script (which may set the mime type and filename for the content it channels).

Answer 4

Sorry, I misunderstood the question. I would think the best way to prevent these attacks from happening would be to save the files as .php.txt or something, so it's non-executable.

But print out the file's contents via f_open(); or file_get_contents();

If this is not what you are looking for, can you provide information about what your website does, exactly?

Answer 5

Well, I had an idea before you redirect to test.php, you redirect to a page that will verify that the code belongs to X user, if assigned, following the routine and redirects, if you do not belong, fires a 404