views:

225

answers:

3

Usually, I try to set my folders to have permission 775, but some web-hosting refuses to let PHP writes or move files to any folders unless it has permission 777 (it may be open_dir or safe mode).

Are there any ways to prevent any PHP files from being ran from such folders, in case a malicious PHP script has been uploaded there?

+1  A: 

Are there any ways to prevent any PHP files from being ran from such folders, in case a malicious PHP script has been uploaded there?

You could disable PHP for that directory. See this answer.

Pekka
+1  A: 

Folders with 777 permissions are inexcusably dangerous. Find a different web host

Actually, find a different host if your host does NOT require 777 for it to be writeable. In truth, if PHP scripts can write to a folder that is 755 (suexec, suPHP), that's effectively the same as having ALL folders 777. So what you want, for security, is a host who requires 777 in order to make the folder writeable.

Think about it this way - almost all folders are 755 by default. If scripts can write to 755 folders, that means any script can write to any folder!

If scripts can write only to 777 folders, that means that can only write to the folders they are supposed to. If you're going to allow writes to all directories, they may as well ALL be 777, so that's what's inexcusably dangerous.

Just the opinion of one licensed security professional with fifteen years of experience.

Ray
A: 

Ray's comment doesn't make sense. A licensed security professional? Scripts that are created by owner should be able to write to 755 folders! See http://www.zzee.com/solutions/linux-permissions.shtml too!

And the answer to the original question... It's easy. using *php_value auto_prepend_file* within .htaccess will do it. Just create a simple script that terminates [die() function], define it within .htaccess; each PHP script called from such a directory will not be executed. You can even configure that "kill" script to email you each time something suspicious happens (when something is trying to call PHP scripts from the "protected" directory).

Jan