Apache htaccess Prevent Users from Uploading and Executing Files

There are times we want to prevent users from uploading PHP files to an unload area and then executing them. Any time you permit the uploading of files to any portion of your website, someone will attempt to take advantage of this to exploit your server. It’s inevitable, and you need to take proactive steps to prevent this from causing damage to your server.

The technique supplied here will work for a variety of different file types once you understand why it works. In particular, you want to prevent PHP files from being uploaded, because these files might contain malicious code.

RewiteEngine On
RewriteCond %{REQUEST_METHOD} ^PUT$ [OR]
RewriteRule ^/files/(.*)\.php /files/$1.nophp

Files that are uploaded to the /files section of our website (you’ll need to modify this to point to whatever portion of your site where you’re permitting upload) with a .php file extension are created instead with a .nophp file extension, rendering them inoperable. Likewise, if someone attempts to rename an existing file to have a .php extension, this rename operation will result in the file being renamed to have a .nophp extension instead. Many well-known exploits involve this type of two-step attack, where a file is first uploaded and then executed. Preventing the initial upload goes a long way toward completely blocking these types of attacks.

Be Sociable, Share!

About Shi Chuan

I am a web developer.
This entry was posted in HTTP Server and tagged , . Bookmark the permalink.

4 Responses to Apache htaccess Prevent Users from Uploading and Executing Files

  1. manoranjan says:

    you mention a very good thought that I must appreciate I have not think this before.thanks

  2. Pingback: Cleaning a Black Hat SEO Indexhibit Hack Attack

  3. DDV says:

    Thank you, Shi, I’ll put this to good use.

  4. John says:

    Well I do have a question about this, and it seems not to work.

    Normally you see this to use, see bellow:

    RewiteEngine On
    RewriteCond %{REQUEST_METHOD} ^PUT$ [OR]
    RewriteCond %{REQUEST_METHOD} ^MOVE$
    RewriteRule ^/(.*)\.php /files/$1.nophp

    Now my question is, must I have to change this;

    to this, when I have more RewriteRule ?????
    RewriteRule ^/(.*)\.php /files/$1.nophp
    RewriteRule ^/(.*)\.html /files/$2.nohtml
    RewriteRule ^/(.*)\.htm /files/$3.nohtm
    RewriteRule ^/(.*)\.doc /files/$4.nodoc
    RewriteRule ^/(.*)\.txt /files/$5.notxt
    RewriteRule ^/(.*)\.tpl /files/$6.notpl
    RewriteRule ^/(.*)\.csv /files/$7.nocsv
    RewriteRule ^/(.*)\.exe /files/$8.noexe
    RewriteRule ^/(.*)\.dll /files/$9.nodll

    Because when I use only RewriteRule ^/(.*)\.php /files/$1.nophp and change only the to a other extension in a new RewriteRule it does not work at all. This perosn can upload everything what he wants. That the reason way I try to block him for all the different extensions.

    So who knows what I do wrong here, please advise, thank you very much fore your replay.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>