New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Nginx disable php upload and execution
Currently i'm running local forum with image upload,recently few attackers try to use my server as phising mail sender by uploading php based file,i was try some nginx config but it seems not worked here is part of my nginx conf
try_files $uri =404; location /upload_path { types { image/gif gif; image/jpeg jpeg jpg; image/png png; text/plain txt; } default_type application/octet-stream; location ~ \.php$ { break; } }
any advice to avoid php file upload and execution?
Comments
Why not disable php files from being uploaded from the script/page and only allow images
i'm using this to prevent php file upload
You should be checking in the upload.php file instead. Like if the extensions isn't a image remove file and ban IP.
i was limit the file extension at upload.php but ban the IP sounds great thanks for your idea.
If you want to go full run a IPTables drop and block all connections to that IP (or as I do the whole CC network)
If you absolutely must allow files to be uploaded, do not store them in the web/htdocs directory. Store them below that directory and use PHP to read (readfile/file_get_contents/fopen etc) them for better security.
Another great idea
currently i store upload directory inside htdocs maybe i need to start use separate server
If you're only allowing images, I would make the PHP script use something like
exif_imagetype()
to make sure the file is an actual image. Also, control the file name and extension. Limit the saved location and have Nginx deny access to .php files in that location.The advice of others here is also quite sound. The key is controlling it at the source: control who is allowed to upload and what file types they re allowed to upload.
Just exclude the execution of PHP file and you will be fine.