WordPress.org

Ready to get started?Download WordPress

Forums

prevent malicious scripts w/ SetHandler no-handler (9 posts)

  1. thecoup
    Member
    Posted 2 years ago #

    hey folks,

    Dreamhost has added a new htaccess file to uploads for security. I'm wondering what you think of the technique and whether you would apply it to multisite installations.

    They're adding .htaccess to the uploads directory so that any malicious script added here will be downloaded instead of executed. It includes:
    SetHandler no-handler

    To apply this to multisites, would adding it to blogs.dir be enough? Or would each site's directory need a copy?

    What do you think?

  2. MickeyRoush
    Member
    Posted 2 years ago #

    SetHandler no-handler

    Is that all that's in it? I'm not familiar using 'no-handler'. I'm wondering if it would be better to use 'None' as the value.

    http://httpd.apache.org/docs/2.0/mod/core.html#sethandler

    Or would it be better to following this:
    http://codex.wordpress.org/htaccess_for_subdirectories

  3. MickeyRoush
    Member
    Posted 2 years ago #

    Or maybe that's a handler-name they have added themeselves?

  4. gwc_wd
    Member
    Posted 2 years ago #

    I tried this as well as Sethandler none (from the Apache docs). Neither worked for me. Tested using a small phpinfo script.

    I would like feedback on some lines that I found that do work, again learned from the Apache docs, but that doesn't mean I understand what I'm doing (smile)

    <FilesMatch "\.(php|html|htm|xhtml|xml|cgi|php5|php4|php3|php2|phtml|phtm|bat|sh|js)$">
    deny from all
    </FilesMatch>
    <Files "projecthoneypotfile.php">
    allow from all
    </Files>

    Adding this to an htaccess file in the uploads directory on a single site appears to work and adding it to the blogs.dir on a multisite also seems to cover off all member blogs. Are there considerations I am missing or problems I am likely to cause myself by using these htaccess files?

    I found a lot of old examples on the web that use Files instead of FielsMatch, but I used FielsMatch because the Apache Docs say it is preferred. Also the search engine results examples are to deny everything except image files, which appears easier but is a bit too restrictive for my needs.

  5. gwc_wd
    Member
    Posted 2 years ago #

    MickeyRoush: I just followed the codex link you posted and it is much more thorough than what I have been able to learn on my own. Thank you for the link! Odd that it was not returned in my google or ixquick searches.

  6. MickeyRoush
    Member
    Posted 2 years ago #

    @ gwc_wd.

    I believe WordPress.org is in the process of renaming/moving that page. I had it my custom guide and that may be why I was able to access it directly.

    What exactly are you wanting to do with your uploads .htaccess?

    If you want to block everything but only allow certain files, you could try this, that I came up with myself.

    # Only allow jpg, jpeg, png, gif, and pdf files.
    Order Allow,Deny
    <FilesMatch "\.([Jj][Pp][Ee]?[Gg]|[Pp][Nn][Gg]|[Gg][Ii][Ff]|[Pp][Dd][Ff])$">
    Allow from all
    </FilesMatch>

    The allow,deny directive means any requests which do not match an Allow or a Deny directive are denied by default. So in those rules you are only allowing the specific files upper and lower case and nothing else.

    If you only wanted to allow the file: projecthoneypotfile.php yours could look like this:

    Order Allow,Deny
    <FilesMatch "^projecthoneypotfile\.php$">
    Allow from all
    </FilesMatch>

    My understanding is that FilesMatch accepts more/better usage of regex over Files. That's why it's preferred. Don't forgot to escape literal periods using a slash \

  7. gwc_wd
    Member
    Posted 2 years ago #

    Thanks for that.

    What I was focused on is preventing any executable files of any kind from being called from the uploads directory. I'm aware of a site that was infected with a malicious php script and I really, really don't want to be next. But the PHPot php file has to be accessible or I break my honey pot.

    Having spent a couple of days learning, I'm now reconsidering that maybe the more widespread example of banning everything except a specific list is the right way to go.

    Not sure why I think someone might need to upload something other than an image or pdf, just had a nagging itch. It occurs to me now that if it ever does come up, I can always edit the htaccess file then (laugh).

    Is it safe or correct to have running Files / FilesMatch blocks? So for example:

    # Only allow jpg, jpeg, png, gif, and pdf files.
    Order Allow,Deny
    <FilesMatch "\.([Jj][Pp][Ee]?[Gg]|[Pp][Nn][Gg]|[Gg][Ii][Ff]|[Pp][Dd][Ff])$">
    Allow from all
    </FilesMatch>
    # But allow PHPot file
    <Files "projecthoneypotfile.php">
    allow from all
    </Files>

    And will the Order statement be affected by the one in my root .htaccess file where I have it reversed to protect the config file while not blocking the whole site:

    <files wp-config.php>
    Order deny,allow
    deny from all
    </files>
  8. MickeyRoush
    Member
    Posted 2 years ago #

    Is it safe or correct to have running Files / FilesMatch blocks?

    I believe you should be fine, but I personally would just stick to using FilesMatch, I may be mistaken, but Files is supposed to be depreciated at some time, if not already. But use whatever works for you.

    Not sure why I think someone might need to upload something other than an image or pdf, just had a nagging itch. It occurs to me now that if it ever does come up, I can always edit the htaccess file then (laugh).

    Yes, you can put whatever you want to allow there. I just put some common file extensions. But WordPress allows many:

    I believe it starts at about line 2435
    http://core.trac.wordpress.org/browser/tags/3.3.1/wp-includes/functions.php

    And will the Order statement be affected by the one in my root .htaccess file where I have it reversed to protect the config file while not blocking the whole site:

    .htaccess files are cumulative. They not only apply to the directory containing them, but also to all subordinate directories sort of like a hierarchy. So your root .htaccess file will affect your uploads .htaccess, but not vice-versa. So you are fine.

  9. MickeyRoush
    Member
    Posted 2 years ago #

    Note that this is only a partial solution. What happens if they upload a file extension like so:

    shellupload.php.jpg

    It will be allow due to the .jpg. Then they can use something like Live HTTP Headers or Tamper Data for Firefox to rename the extension to shellupload.php by removing the .jpg part. I have also seen this done with a file name like shellupload.phtml.jpg

    So now you need to block double or more extensions. You'll need to add this after the rest of your rules.

    # Block double extensions from being uploaded or accessed
    <FilesMatch "\.([^.]+)\.([^.]+)$">
    Order Deny,Allow
    Deny from all
    </FilesMatch>

    What that says is:
    If a literal period, followed by any character not a period one or more times, followed by another literal period, followed by any character not a period one or more types is denied.

    So any combination of a double extension, triple extension, or more, no matter how many characters, is denied.

Topic Closed

This topic has been closed to new replies.

About this Topic