Categories
- (X)HTML (6)
- ActionScript (5)
- Ajax (2)
- Apache (22)
- HTTP Server (22)
- Applications (1)
- C (1)
- C Core (1)
- CMS (18)
- Joomla! (14)
- phpShop (1)
- Textpattern (3)
- CSS (19)
- CSS Advanced (3)
- CSS Core (9)
- CSS Hacks (7)
- General (25)
- JavaScript (28)
- JavaScript Advanced (6)
- JavaScript Core (16)
- JavaScript Library (7)
- JSP (3)
- JSP Core (3)
- Linux (112)
- MySQL (1)
- Perl (1)
- PHP (34)
- Python (1)
- Python Core (1)
- Quote (1)
- Regular Expression (19)
- Perl Regex (2)
- PHP Regex (17)
- Shell (5)
- Vim (1)
- YUI (6)
Admin
In Other Languages
 |  |  |  |  |  |  |  |  |  |
 |  |  |  |  |  |  |  |  |  |
 |  |  |  |  |  |  |  |  |  |
 |  |  |  |  | |||||
| By N2H | |||||||||
Jun
1
There are times we want to prevent users from uploading PHP files to an unload area and then executing them. Any time you permit the uploading of files to any portion of your website, someone will attempt to take advantage of this to exploit your server. It’s inevitable, and you need to take proactive steps to prevent this from causing damage to your server.
The technique supplied here will work for a variety of different file types once you understand why it works. In particular, you want to prevent PHP files from being uploaded, because these files might contain malicious code.
RewiteEngine On
RewriteCond %{REQUEST_METHOD} ^PUT$ [OR]
RewriteCond %{REQUEST_METHOD} ^MOVE$
RewriteRule ^/files/(.*)\.php /files/$1.nophp
Files that are uploaded to the /files section of our website (you’ll need to modify this to point to whatever portion of your site where you’re permitting upload) with a .php file extension are created instead with a .nophp file extension, rendering them inoperable. Likewise, if someone attempts to rename an existing file to have a .php extension, this rename operation will result in the file being renamed to have a .nophp extension instead. Many well-known exploits involve this type of two-step attack, where a file is first uploaded and then executed. Preventing the initial upload goes a long way toward completely blocking these types of attacks.
|
Similar Posts
- Remove File Extension Using htaccess
- htaccess Conditional Loop Redirect
- htaccess Limit the Number of Concurrent Visitors to your Website
- Use htaccess with Site Maintenance Page
- htaccess Explicitly Define Default Index File
- Use htaccess to Deny Access Directory Listing
- Use htaccess to Fake Different File Extension
- htaccess Remove the www From Domain URL
- Create Custom Error Pages Using htaccess PHP
- Block people from Certain URL Using htaccess
- Use htaccess to Deny Access to hidden Files
- htaccess Deny Diractory Access During a Specific Time
- htaccess Require the www For Domain URL
- htaccess Permanently redirect file or directory
- Deny Access to inc Files Using htaccess
- htaccess gzip for Faster Loading and Bandwidth Saving
- Force Files Like PDF Download using htaccess
- Use htaccess for 404 Redirect
- Set Local Timezone Using htaccess
- Google Text Translation Using htaccess
- Block IPs Using htaccess
Comments
1 Comment so far
you mention a very good thought that I must appreciate I have not think this before.thanks