views:

158

answers:

4

One of the site Hacking methods written in php in apache server The use Images with prefix. Php such as .php.gif that apache is trying to run it How can htaccess configuration to disable this feature

A: 

Disabling PHP sounds good, but what would really help is for you to prevent users from uploading files to your web server which they then can access from the web. If you can't change your site in that way, at least put in some checking such as a regular expression for filenames and validation of the file format submitted.

I don't understand how a valid GIF-format image could legally also be a PHP script, but I'd like to see an example file if that is the case. Sounds delightful.

Heath Hunnicutt
A: 

View image files is not necessary Hacker upload file such as image, but Writes itself php code and ... will be running the Server

ojo
A: 

I get what is being asked. I actually know a guy who configured his server in such a way that this is an issue. It is simple to prevent.

Don't allow for extension-less PHP files. so example.com/foo goes looking for example.com/foo.php . if you do, your user supplied image foo.gif.php might get run.

If you do it anyway, make sure you do proper extension checking with the built in commands, or with a proper regex. Also, make sure you properly validate any files the user uploads.

Basically, you have to really not know how to use PHP and a web server to quite a large degree. You practically have to want to be hacked :) So many problems have to come into alignment for this to be an issue. I wouldn't worry about it too much

EDIT:

I noticed someone suggested that the OP is already hacked. Some people will drop code into your server as a poor man's back door.

look for an .htaccess file with something like this:

<FilesMatch "^.*\.gif">
SetHandler application/x-httpd-php
</FilesMatch>

Honestly, if they are that far into your system, you are better off formatting it and starting over. who knows what else is on there at this point.

cgr
A: 

best way is set in your upload folder this code

 <Files ~ "\.(?i:php.*|(s|p)html|cgi|pl)$">
deny from all
</Files>
 

daniel