[pmwiki-users] Disallow scripts in upload directories
Carlos AB
cabsec.pmwiki at gmail.com
Tue Mar 19 14:00:39 CDT 2013
I did some testing, but I did it so kickly that in the end I have sent my
report e-mails to Oliver - sorry Oliver - in error as it was supposed to be
sent to the list, well here is a summary of all the e-mails.
----
!1st e-mail
I care a lot, but I know very little about it and I am just waiting to see
to what conclusion you both are going to get.
Even though I know very little, I will try it myself and report.
----
!2nd e-mail
Tested in 1dollar-webhosting servers where my site is hosted (shame), what
I get while trying to upload the file called forrest.php, which has the
following code inside.
-----8x-----
<?php
echo "<p>Run Forrest! Run!</p>"
-----8x-----
While trying to upload the file I got redirected to the url bellow:
http://codex.wiki.br/cgi-sys/amplugin.shtml
That has the following message :
"
Alerta de segurança
O arquivo que você está tentando fazer upload foi rejeitado pelo servidor.
Provavelmente, o arquivo contém vÃrus ou trojans que podem danificar seu
website.
Não tente carregá-lo novamente como seu endereço de IP pode ser
bloqueada."
The message might be shown in other languages I guess, the encoding is
wrong here in this e-mail and where the message is located. ( I believe it
also depends on your e-mail reader, browser and encoding detection)
Briefly the message says that the file was rejected for upload and if I
insist in uploading, my ip could be banned.
I could not upload the file even with different extensions, including
".txt" and also trying to make the code hard to detect.
This behavior is not good for me as I write code there and I wish I could
upload the code as php files, but this is just my situation.
----
!3rd e-mail
I have discovered one thing, when using this in .htaccess, and I hope I am
doing it right:
-----8x-----
Options -ExecCGI
SetHandler default-handler
-----8x-----
I just recieve an 404 message when trying to get to "/uploads/".
While just using:
-----8x-----
Options -ExecCGI
-----8x-----
I can read the folder and access the other folders inside it, even though
the folders inside "/uploads/" appear as if they were displayed in the
wrong encoding as well, as some of the words forming folder names
use diacritics.
This is my report.
CarlosAB
2013/3/13 Petko Yotov <5ko at 5ko.fr>
> I'd like to read some opinions from different people about this question -
> if you can do some tests on your own servers, please find out what
> .htaccess settings disallow script execution for the uploaded files on your
> wiki, and report here.
>
> Thanks!
> Petko
>
> Oliver Betz writes:
>
>> In addition, I suggest to completely disallow execution of scripts in
>> upload directories.
>>
>> For Apache .htaccess I found:
>>
>> "Options -ExecCGI" - that's very effective in usual virtual hosting
>> environments but doesn't help for languages running as module.
>>
>> "SetHandler default-handler" works also for script languages running
>> as module.
>>
>> Before I add this information to the PmWiki documentation, I would
>> appreciate comments from people with better Apache knowledge.
>>
>
----
Codex
http://codex.wiki.br/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.pmichaud.com/pipermail/pmwiki-users/attachments/20130319/0db935f0/attachment.html>
More information about the pmwiki-users
mailing list