PHP Classes

Re: PHP security exploit with GIF images

Recommend this page to a friend!

      PHP Classes blog  >  PHP security exploit ...  >  All threads  >  Re: PHP security exploit with GIF images  >  (Un) Subscribe thread alerts  
Subject:Re: PHP security exploit with GIF images
Summary:just use Apache config to defend against malicious uploads
Messages:1
Author:Emilis Dambauskas
Date:2007-06-20 08:23:30
Update:2007-06-20 08:29:59
 

  1. Re: PHP security exploit with GIF images   Reply   Report abuse  
Picture of Emilis Dambauskas Emilis Dambauskas - 2007-06-20 08:29:59
IMHO it is more elegant to solve the problem in the web server layer.

Just disable all scripting for the uploaded file directory (Apache example):

<Directory /var/www/mysite/uploads/>
AllowOverride None
AddType text/plain .php .phtml .php3 .phps .pl .cgi
</Directory>

"AllowOverride None" disables .htaccess scripts, which can be uploaded too.

If you have a separate server for uploads, then don't install php, perl, cgi, etc. on it and you'll be safe.