Is there a way using .htaccess I can tell apache to hand certain JS, CSS and GIF files to PHP?
I thought the default for PHP was to execute a file regardless - the minute it detected PHP start tags or similar?
I had a server hijacked a while back because I allowed uploading of images based on file extension only, which an attacker used to upload a pHP script disguised as a *.GIF file???
How do I enable that functionality?
CSS file execute as PHP
Moderator: General Moderators
-
alex.barylski
- DevNet Evangelist
- Posts: 6267
- Joined: Tue Dec 21, 2004 5:00 pm
- Location: Winnipeg
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
Re: CSS file execute as PHP
No, you're telling the webserver which files are to be handled by php.Hockey wrote:I thought the default for PHP was to execute a file regardless - the minute it detected PHP start tags or similar?
For an apache e.g.
http://www.php.net/manual/en/install.unix.apache2.php wrote:AddType application/x-httpd-php .php .phtml
-
alex.barylski
- DevNet Evangelist
- Posts: 6267
- Joined: Tue Dec 21, 2004 5:00 pm
- Location: Winnipeg
Hehe...I'm not looking to secure my upload script...I was just recalling how a attacker used a GIF which was actually a PHP script to carry out an attack on my server. Besides, I don't think checking $_FILES would be a safe method. The only safe bet is to check a files magic bytes in the actual file itself.superdezign wrote:I'm not familiar with the usage of .htaccess for changing files, but you could always check the headers of the file being upload as a validation that it's not an html, php, js, or css file.
Also, $_FILES['file']['type'] should be of use to your upload script.
volka thanks for that snippet, but how then, did that attacker I mention use a GIF to carry out a PHP attack?
Come to think of it, maybe it was image.php.gif
But I am sure someone here told me that PHP just executed whatever was thrown at it...
- Ollie Saunders
- DevNet Master
- Posts: 3179
- Joined: Tue May 24, 2005 6:01 pm
- Location: UK
- Kieran Huggins
- DevNet Master
- Posts: 3635
- Joined: Wed Dec 06, 2006 4:14 pm
- Location: Toronto, Canada
- Contact: