For a while it has bothered me that code was able to be loaded to wp-content/uploads on a wordpress site, then executed (for example, loading php code in a gif image is a common tactic). I've decided to enable a no-execute line, but wasn't' sure how to do it. My first attempt follows.
Add to the htaccess file in the directory to block the following directive (basically disabling execution of php files):
AddType text/plain phpThe idea may need refinement, basically, no code will run. If you have other code extensions calling handlers (like .php5 or .pl or similar), then the line would change. I'm not sure this is 100% desired, but does change my test program from executing to returning the code, I used echo("running") as my example. Since there's no code handler for text/plain, the server sends it to the client directly, maybe with compression, but with no backend processing. This seems adequate to default a large chunk of malicious upload exploits.
No comments:
Post a Comment