[pmwiki-users] Disallow scripts in upload directories
cabsec.pmwiki at gmail.com
Tue Mar 19 14:00:39 CDT 2013
I did some testing, but I did it so kickly that in the end I have sent my
report e-mails to Oliver - sorry Oliver - in error as it was supposed to be
sent to the list, well here is a summary of all the e-mails.
I care a lot, but I know very little about it and I am just waiting to see
to what conclusion you both are going to get.
Even though I know very little, I will try it myself and report.
Tested in 1dollar-webhosting servers where my site is hosted (shame), what
I get while trying to upload the file called forrest.php, which has the
following code inside.
echo "<p>Run Forrest! Run!</p>"
While trying to upload the file I got redirected to the url bellow:
That has the following message :
Alerta de seguranÃ§a
O arquivo que vocÃª estÃ¡ tentando fazer upload foi rejeitado pelo servidor.
Provavelmente, o arquivo contÃ©m vÃrus ou trojans que podem danificar seu
NÃ£o tente carregÃ¡-lo novamente como seu endereÃ§o de IP pode ser
The message might be shown in other languages I guess, the encoding is
wrong here in this e-mail and where the message is located. ( I believe it
also depends on your e-mail reader, browser and encoding detection)
Briefly the message says that the file was rejected for upload and if I
insist in uploading, my ip could be banned.
I could not upload the file even with different extensions, including
".txt" and also trying to make the code hard to detect.
This behavior is not good for me as I write code there and I wish I could
upload the code as php files, but this is just my situation.
I have discovered one thing, when using this in .htaccess, and I hope I am
doing it right:
I just recieve an 404 message when trying to get to "/uploads/".
While just using:
I can read the folder and access the other folders inside it, even though
the folders inside "/uploads/" appear as if they were displayed in the
wrong encoding as well, as some of the words forming folder names
This is my report.
2013/3/13 Petko Yotov <5ko at 5ko.fr>
> I'd like to read some opinions from different people about this question -
> if you can do some tests on your own servers, please find out what
> .htaccess settings disallow script execution for the uploaded files on your
> wiki, and report here.
> Oliver Betz writes:
>> In addition, I suggest to completely disallow execution of scripts in
>> upload directories.
>> For Apache .htaccess I found:
>> "Options -ExecCGI" - that's very effective in usual virtual hosting
>> environments but doesn't help for languages running as module.
>> "SetHandler default-handler" works also for script languages running
>> as module.
>> Before I add this information to the PmWiki documentation, I would
>> appreciate comments from people with better Apache knowledge.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the pmwiki-users