[pmwiki-users] Disallow scripts in upload directories

Carlos AB cabsec.pmwiki at gmail.com
Tue Mar 19 14:00:39 CDT 2013

I did some testing, but I did it so kickly that in the end I have sent my
report e-mails to Oliver - sorry Oliver - in error as it was supposed to be
sent to the list, well here is a summary of all the e-mails.


!1st e-mail

I care a lot, but I know very little about it and I am just waiting to see
to what conclusion you both are going to get.

Even though I know very little, I will try it myself and report.


!2nd e-mail

Tested in 1dollar-webhosting servers  where my site is hosted (shame), what
I get while trying to upload the file called forrest.php, which has the
following code inside.

echo "<p>Run Forrest! Run!</p>"

While trying to upload the file I got redirected to the url bellow:


That has the following message :

Alerta de segurança

O arquivo que você está tentando fazer upload foi rejeitado pelo servidor.
Provavelmente, o arquivo contém vírus ou trojans que podem danificar seu
Não tente carregá-lo novamente como seu endereço de IP pode ser

The message might be shown in other languages I guess, the encoding is
wrong here in this e-mail and where the message is located. ( I believe it
also depends on your e-mail reader, browser and encoding detection)

Briefly the message says that the file was rejected for upload and if I
insist in uploading, my ip could be banned.

I could not upload the file even with different extensions, including
".txt" and also trying to make the code hard to detect.

This behavior is not good for me as I write code there and I wish I could
upload the code as php files, but this is just my situation.


!3rd e-mail

I have discovered one thing, when using this in .htaccess, and I hope I am
doing it right:

Options -ExecCGI
SetHandler default-handler

I just recieve an 404 message when trying to get  to "/uploads/".

While just using:

Options -ExecCGI

I can read the folder and access the other folders inside it, even though
the folders inside "/uploads/" appear as if they were displayed in the
wrong encoding as well, as some of the words forming folder names
use diacritics.

This is my report.


2013/3/13 Petko Yotov <5ko at 5ko.fr>

> I'd like to read some opinions from different people about this question -
> if you can do some tests on your own servers, please find out what
> .htaccess settings disallow script execution for the uploaded files on your
> wiki, and report here.
> Thanks!
> Petko
> Oliver Betz writes:
>> In addition, I suggest to completely disallow execution of scripts in
>> upload directories.
>> For Apache .htaccess I found:
>> "Options -ExecCGI" - that's very effective in usual virtual hosting
>> environments but doesn't help for languages running as module.
>> "SetHandler default-handler" works also for script languages running
>> as module.
>> Before I add this information to the PmWiki documentation, I would
>> appreciate comments from people with better Apache knowledge.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.pmichaud.com/pipermail/pmwiki-users/attachments/20130319/0db935f0/attachment.html>

More information about the pmwiki-users mailing list