WordPress.org

Forums

BulletProof Security
[resolved] Kill PHP Execution for uploads folder (6 posts)

  1. icing
    Member
    Posted 2 years ago #

    Was reading this article on WordPress Security. Maybe you have already read it. If not, then please do.

    One question, does Bulletproof Security protect from PHP Execution(mentioned in that article)? That article says that uploads folder is vulnerable and should be protected with htaccess file. Is this already done in BPS?

    Thanks

    http://wordpress.org/extend/plugins/bulletproof-security/

  2. AITpro
    Member
    Plugin Author

    Posted 2 years ago #

    Quoting from the Article...

    2. Kill PHP execution.
    Often the weakest link in any WordPress chain is the /uploads/ directory. It is the only directory that needs to be writable in your installation. You can make it more secure by preventing anyone from executing PHP. It’s simple to do. Add the following to the .htaccess file at the root of the directory. If the file doesn’t exist, create it.

    <Files *.php>
    Deny from All
    </Files>

    ...this could be helpful to protect the /uploads folder, but how it could be beaten would be if the hackers file was named something like this - hackerPHPFileDisguisedAsAJPGFile.php.jpg.

    Currently BPS does not have .htaccess coding to protect the /uploads folder in a specific way and only has general security protection, but specific .htaccess security coding for the /uploads folder will eventually be added. What needs to be worked out first is how not to interfere with normal image uploading and image retrieval and still prevent exploits such as the one I just pointed out.

    Offhand the simplest method would be to look at the file name and if it contains the pattern ".php" anywhere in the file name then do X.

    This Regex would match both .php and .php. so it would be a little better to use.

    <FilesMatch "\.(php|php\.)$">
    Order Allow,Deny
    Deny from all
    </FilesMatch>

    And another thing to consider and factor in is forcing the MIME Type, which i think WP is already doing anyway.

  3. AITpro
    Member
    Plugin Author

    Posted 2 years ago #

    Also since i have never tested this code i just posted then it may be that you need to do a Regex match to the end of the file name for this to be effective.

    matches php, php.jpg, php.gif, php.png, etc etc etc

    <FilesMatch "\.(php|php\.)(.+)(\w|\d)$">
    Order Allow,Deny
    Deny from all
    </FilesMatch>
  4. icing
    Member
    Posted 2 years ago #

    Thanks for your reply. Will look forward to this functionality in BPS. Till then will just create a simple .htaccess with the code from your last post. Will report back in this thread if it hampers functionality.

  5. icing
    Member
    Posted 2 years ago #

    Useful comment from MickeyRoush on the SmashingMag article.

    Your “Kill PHP Execution” code has an error. You’re using “FilesMatch” then “Files” to close it. You need to change the “Files” to “FilesMatch” to close it.

    For your “Kill PHP Execution” for the uploads directory it would be better to white-list instead of blacklist, since there are many extensions that could be executable.

    Something like this (I originally tried to paste the code here, but it gets stripped for some reason):

    http://pastebin.com/49MrrbTp

    Please note that above works best for Apache 2.x and above. One, FilesMatch is much better utilized for PCRE. Two, that above prevents any double extensions as well, so no .php.jpg or anything that can be changed using Live HTTP Headers, etc.

    So the rules says, only allow the follow case-insensitive single file extensions. jpeg, jpg, png, gif, pdf

    “[^.]+” Means not a literal period one or more times.

    “(?:[Jj][Pp][Ee]?[Gg]|[Pp][Nn][Gg]|[Gg][Ii][Ff]|[Pp][Dd][Ff]) or (?i:jpe?g|png|gif|pdf)” Means these case-insensitive file extensions.

    You could create your own list depending on your needs.

  6. AITpro
    Member
    Plugin Author

    Posted 2 years ago #

    Yep that code looks good to me. Also you don't have to use just one bit of code and could use several layers of protection by using several snippets of code. ;)

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic