I have some directories which have user uploaded files and they reside a few levels deep into the docroot.
docroot/images/
docroot/storage/
docroot/storage/documents/
docroot/storage/templates/
The last two are where the files are uploaded by end users -- arbitrary files no checks...that means an hacker could upload a PHP script into either and then access that script using the browser and potentially view source code, delete files, etc.
To prevent this I setup a proxy script inside the 'docroot/storage' directory, like so:
Code: Select all
RewriteEngine on
RewriteRule ^(.+)$ proxy.php?file=$1 [QSA]
Code: Select all
<?php
// TODO: Prevent browser caching
// TODO: Make sure path is canonicalized and secure (not reaching somewhere it's not supposed too)
$file = $_GET['file'];
echo file_get_contents($file);
Now regardless of the type of file uploaded to those directories (even PHP) the files are NEVER executed by PHP or any other interpreter, etc...they are simply returned to the browser as files like intended.
My concern is...someone could upload an .htaccess file into the :
And essentially override MY .htaccess and proxy.php thus circumventing my protection mechanism and allowing them to run arbitrary code.
The solution of course, is to store the files outside the docroot and use a publically accessible proxy (similar to what I have) however this is not accetable in this situation and I would much prefer to simply disable any .htaccess files after this point:
I have managed to disable the .htaccess using the following:
Code: Select all
# disable .htaccess in this path
<Directory /templates/*>
AllowOverride None
</Directory>
<Directory /documents/*>
AllowOverride None
</Directory>
I have this in my .htaccess file stored here:
The problem is...any file requests now for the files stored in 'docroot/storage/templates' or 'docroot/storage/documents' result in a
Internal Server Error or similar message...I assume because .htaccess has been disabled for requests in those directories...
EDIT | Apparently <Directory> is not applicaable in .htaccess files
