Friday, April 17, 2015

Disable php files execution in the certain directory

Most of website has an ability to allow users upload they files such as image or spreadsheet and uploaded into a certain directory. It's a good practice for security reasons to disable server-side parsing of scripts such as PHP.

As programmer, you must have security concern about your program, all data sent by users should be validated before being stored on the server. This is to prevent from risk of LFI/RFI vulnerability and harden the system from any exploit.

If you have access to the httpd.conf file, add the following rule to your virtualhost:
<VirtualHost *:80>
   ...
   ...
   <Directory "/path/to/my/web/uploads/directory">
     php_flag engine off
   </Directory>
 </VirtualHost >

* Please replace /path/to/my/web/uploads/directory with you target directory.

Then save and restart you apache2 services. Now the php files cannot execute anymore from that directory. If you dont have permission to access httpd.conf files don't worry, You can denied php files execution with htaccess rule :
php_flag engine off

All these technique will turns off the php engine ;)

No comments:

Post a Comment