TwelvestoneBack End

.htaccess deny serving all files but jpg

Sign in

Not a member? Sign up
Forgot your password?
Didn't receive confirmation instructions?
  • Waiting for Godot ( 720 k posts )
    Just conversation.
  • Thunder Dome ( 23 k posts )
    Photoshop Tennis and Collabs.
  • Photography ( 4.8 k posts )
    For all you shutterbugs, sh...
  • Flash ( 18 k posts )
    ActionScripting to tweens, ...
  • Front End ( 5.8 k posts )
    general front end design an...
  • Back End ( 9.6 k posts )
    serverside scripting, progr...
  • Projects and Theory ( 12 k posts )
    This forum is for discussio...
  • FAQ ( 269 posts )
    All those nagging questions...
  • Design ( 17 k posts )
    graphics & all aspects of g...
  • Purgatory ( 3.6 k posts )
    12stone Jail, feel free to ...
scudsucker
 
2010-07-21

Hi,

An ex-client of mine had their website hacked, and a french paypal phishing site created in the /uploads/ folder.

The site has been messed with extensively by other developers since I last saw it, so I am not that happy to take responsibility for fixing the security. It was originally a custom php gallery site, but has apparently had wordpress installed in parallel.

Plus I have not done PHP dev for a year or so. However... I must do something. And that something must be both pro-active and reactive.. ie, try to stop attacks on the way in, and deal with them once in, as I will never be able to foresee and forestall all possible vulnerabilities.

Now aside from the regular things such as removing the old copy of FCKeditor (which has unsecured uploads, doh!), setting the permissions on the upload folder to 744 (or whatever) on the uploads folder, ensuring that what gets uploaded is actually an image using getimagesize(), ... etc etc

...it occured to me that I should be able to use .htaccess to deny any request for a file type other than .jpg

In fact, I could an create .htaccess that allows only .jpgs to be served, and redirects all other file requests to a page that deletes the file, right?

So- what can I add to the .htaccess that will go into the uploads folder to prevent anything but jpgs from beeing served?

order deny,allow deny from all

Options -ExecCGI AddHandler cgi-script .php .pl .py .jsp .asp .htm .html .shtml .sh .cgi .zip

Stickman
 
2010-07-21

This will redirect all requests tor non-jpeg files to 'foo.php':

Options +FollowSymlinks RewriteEngine on RewriteRule !.*.(jpg|jpeg)$ foo.php [NC]

...of course you can change that to point to whatever script you want, which can then do the deletion or whatever and show an error when it's done.

scudsucker
 
2010-07-21

Rocking thanks - then all I need to do is obtain the URL of the current request, strip off the file name and delete it - which is easy.

the real me
 
2010-07-21

Be careful on your delete script. That could be dangerous. Make certain to check for directory traversal tricks and stuff.

scudsucker
 
2010-07-21

Good point - else someone might realise that they can delete the .htaccess and poof! there goes my idea.

Sorry, you must be a member to post to a conversation. Either log in or sign up to get involved.
TwelvestoneBack End

.htaccess deny serving all files but jpg

Powered by Twelvestone Hosted Forums