Restricting access to images directory

hackrepair

hackrepair

Banned
Mar 17, 2010
75
0
0
San Diego
hackrepair.com
Hi folks,
Just stumped on this one and wondering if we have any mod rewrite or .htaccess editing experts out there.

My goal is to have one entry in the .htaccess file which prevents scripts from executing (to keep the hackers out).

Placing a .htaccess file with the restrictions in each directory is easy to do, but my goal here is to do it account wide.

I tried the below but just can't seem to get it working. Any ideas anyone?

<DirectoryMatch "^.+/images">
AllowOverride None
Addhandler text/plain .pl .cgi .php .py .jsp .asp .shtml .sh
php_admin_flag engine off
</Directory>

This is supposed to ensure all directories within account directories named /images will turn scripts into text so they wont' execute.

I suppose you can do the same with mod redirect but the thought gives me a headache...

Ideas?

Many thanks,
Jim
 


Just -x (remove executable permissions) for any directory with upload privileges and problem solved. (ie: something like chmod 644) [ this does ultimately depend of course how PHP is executed]

Setting everything to a plain/text mime type may confuse some browsers, and may not process static files or images properly.
 
TylerL said:
Add a file to the directory/directories called ".htaccess", the contents of that file being:

Code: 
# fuck off leech
deny from all
Click to expand...

LoL, course you realize that'll break static serving to visitors of the site if they can't download the .css/.js/.png/.jpg so on.

Btw if we're talking bout the images folder, like on typical website, chmod 444 (no write, no exec, read-only)
 
Btw... (my regex is rusty but this is the general ideal)

Code: 
RewriteEngine On
RewriteBase /
RewriteCond %{THE_REQUEST} ^/images/.(pl|cgi|php|asp|jsp|sh)$ [NC]
RewriteRule .* - [F,L]

... something like that I guess.
 
kblessinggr said:
Btw... (my regex is rusty but this is the general ideal)

Code: 
RewriteEngine On
RewriteBase /
RewriteCond %{THE_REQUEST} ^/images/.(pl|cgi|php|asp|jsp|sh)$ [NC]
RewriteRule .* - [F,L]
... something like that I guess.
Click to expand...

Hi folks,
So far only the above reply has been close in answering my original question.

Yes, I could put a .htaccess file that will do the trick fine into every of my 1000 images directories- that's not very efficient.

The goal is to have one .htaccess file in public_html, such that if a hacker uploads a PHP script there (for example), it cannot run in that directory or any of the other images directories on the site.

Anyone else have an idea on this?

Many thanks,
Jim
 
hackrepair said:
Yes, I could put a .htaccess file that will do the trick fine into every of my 1000 images directories- that's not very efficient.
Click to expand...

Course one could also just modify the httpd.conf :P

hackrepair said:
The goal is to have one .htaccess file in public_html, such that if a hacker uploads a PHP script there (for example), it cannot run in that directory or any of the other images directories on the site.
Click to expand...

When the last time you see someone make /images/ their upload directory?

hackrepair said:
Anyone else have an idea on this?

Many thanks,
Jim
Click to expand...

If the latest reply is closest, then just modify the front of the regex so that it matches any paths ending in /images/

But personally I think you're going bout the protection wrong, since the only reason you should be worried about */images is if you regularly upload to them, but if the folder isn't any different than say /public_html , then whats to stop someone from just inserting a script in a place you haven't "protected" , in which case it makes more sense to make sure that your file_folder permissions are correct, and you've taken the proper precautions in setting up something like SuExec.
 
So you are wanting to guard against people uploading things other than images, or they are allowed to upload any kind of file?

If you only want people to upload images, then it would make more sense to do the validation in the upload script, not after the fact. Check for valid image mime type and scan for certain character sequences that might be embedded in them.
 
jryan21 said:
So you are wanting to guard against people uploading things other than images, or they are allowed to upload any kind of file?

If you only want people to upload images, then it would make more sense to do the validation in the upload script, not after the fact. Check for valid image mime type and scan for certain character sequences that might be embedded in them.
Click to expand...

Yes, goal is to guard against someone uploading something other than images into the /images directories.

Situation is that some scripts like Joomla, zencart, et al, are sometimes hacked due to client installing exploitable modules, etc., so the goal is to come up with a general means to prevent execution of scripts in directories whose permissions are sometimes set loosly (like 777).

Thanks for the comment. Getting closer.

Best Wishes,
Jim
 
kblessinggr said:
But personally I think you're going bout the protection wrong, since the only reason you should be worried about */images is if you regularly upload to them, but if the folder isn't any different than say /public_html , then whats to stop someone from just inserting a script in a place you haven't "protected" , in which case it makes more sense to make sure that your file_folder permissions are correct, and you've taken the proper precautions in setting up something like SuExec.
Click to expand...

I haven't explained my reason why very clearly. Sorry about that.
Situation is that this project is for people who are on shared non-suPHP servers, who are required to set their images directories (for example) to 777. I have no control over this since I'm not the web designer or manager of the web sites I work with.

People come to me to help them do forensic review of their hacked sites, recommend ways to improve security and get them back in business. I'm encountering quite a few poorly secured web hosting companies nowadays and am looking for an .htaccess option that will prevent execution of scripts in particular directories no matter how stupid the customer is in the future (after I leave their employ).

Making more sense now I hope.

Thanks,
Jim
 
hackrepair said:
Any specifics or example I can work with?
I"m not much of a regex expert (gives me a headache thinking about it).

Thanks,
Jim
Click to expand...

Well ^ denotes the beginning of the pattern, so in this case /images just after the hostname. If we were to remove ^ so that its just images/.(extensions|here)$ , we'd still have $ on the end, denoting that the portion shows up at the end of the pattern. If I am correct then that would mean that you could have a folder how-ever many deep as long as it was something like ....../images/file.php , it would trigger.

Though I am with jryan21 to least make sure the upload script validates the content. Also even on shared hosting permissions can be set, especially if its a cpanel type of hosting where the account holder owns those folders.

If any of your users have FTP access to "their" site, then this whole bit is pointless as they can just upload a .php or such where ever they'd like (I wouldn't worry much bout perl scripts and .sh on a shared host, most of the time you never have permission to run those outside of a /cgi-bin/ folder)
 
kblessinggr said:
Though I am with jryan21 to least make sure the upload script validates the content. Also even on shared hosting permissions can be set, especially if its a cpanel type of hosting where the account holder owns those folders.

If any of your users have FTP access to "their" site, then this whole bit is pointless as they can just upload a .php or such where ever they'd like (I wouldn't worry much bout perl scripts and .sh on a shared host, most of the time you never have permission to run those outside of a /cgi-bin/ folder)
Click to expand...

No upload script is used.
This is all about exploited sites and prevention. Many scripts out there like Joomla, zencart, wordpress allow for adding components outside the default settings. This is where sites are often hacked. Clients install these and often set very loose file or directory permissions, which can then be exploited by hackers.

So the goal here is prevent execution in directories which do not require execution (like /images, and others) in hopes it will limit what a potential hacker can do.

Thanks,
Jim
 
kblessinggr said:
Well ^ denotes the beginning of the pattern, so in this case /images just after the hostname. If we were to remove ^ so that its just images/.(extensions|here)$ , we'd still have $ on the end, denoting that the portion shows up at the end of the pattern. If I am correct then that would mean that you could have a folder how-ever many deep as long as it was something like ....../images/file.php , it would trigger.
Click to expand...

Given these notes, could you possibly rewrite this so I can test here?

RewriteEngine On
RewriteBase /
RewriteCond %{THE_REQUEST} ^/images/.(pl|cgi|php|asp|jsp|sh)$ [NC]
RewriteRule .* - [F,L]
 
You must log in or register to reply here.
Top Bottom