Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

Nginx disable php upload and execution
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Nginx disable php upload and execution

robohostrobohost Member
in Help

Currently i'm running local forum with image upload,recently few attackers try to use my server as phising mail sender by uploading php based file,i was try some nginx config but it seems not worked here is part of my nginx conf 

try_files $uri =404;
location /upload_path  {
types
{
image/gif gif;
image/jpeg jpeg jpg;
image/png png;
text/plain txt;
}
default_type application/octet-stream;
 
location ~ \.php$
{
break;
}
}



any advice to avoid php file upload and execution?

Comments

  • nexmarknexmark Member

    Why not disable php files from being uploaded from the script/page and only allow images

  • robohostrobohost Member

    @nexmark said:
    Why not disable php files from being uploaded from the script/page and only allow images

    i'm using this to prevent php file upload

    location /upload_path  {
types
{
image/gif gif;
image/jpeg jpeg jpg;
image/png png;
text/plain txt;
}
default_type application/octet-stream;
 
location ~ \.php$
{
break;
}
  • TinyTunnel_TomTinyTunnel_Tom Member

    @robohost said:
    }

    You should be checking in the upload.php file instead. Like if the extensions isn't a image remove file and ban IP.

  • robohostrobohost Member

    @TinyTunnel_Tom said:
    You should be checking in the upload.php file instead. Like if the extensions isn't a image remove file and ban IP.

    i was limit the file extension at upload.php but ban the IP sounds great thanks for your idea.

  • TinyTunnel_TomTinyTunnel_Tom Member

    @robohost said:
    i was limit the file extension at upload.php but ban the IP sounds great thanks for your idea.

    If you want to go full run a IPTables drop and block all connections to that IP (or as I do the whole CC network)

  • SplitIceSplitIce Member, Host Rep

    If you absolutely must allow files to be uploaded, do not store them in the web/htdocs directory. Store them below that directory and use PHP to read (readfile/file_get_contents/fopen etc) them for better security.

  • robohostrobohost Member
    edited January 2015

    @TinyTunnel_Tom said:

    Another great idea

    @SplitIce said:
    If you absolutely must allow files to be uploaded, do not store them in the web/htdocs directory. Store them below that directory and use PHP to read (readfile/file_get_contents/fopen etc) them for better security.

    currently i store upload directory inside htdocs maybe i need to start use separate server

  • JustAMacUserJustAMacUser Member

    If you're only allowing images, I would make the PHP script use something like exif_imagetype() to make sure the file is an actual image. Also, control the file name and extension. Limit the saved location and have Nginx deny access to .php files in that location.

    The advice of others here is also quite sound. The key is controlling it at the source: control who is allowed to upload and what file types they re allowed to upload.

  • msg7086msg7086 Member

    Just exclude the execution of PHP file and you will be fine.

Sign In or Register to comment.