Block script execution from /images directories

2 posts / 0 new
Last post
#1 Sun, 03/06/2011 - 15:15

Block script execution from /images directories

We recently had a PHP insertion exploit where some managed to exploit some vulnerability and insert trojan scripts in some /images folders on the server where no one would ever think to look. I managed to clean up the server --with help from good folks here -- fortunately no damage was done, they were just doing Black HAT SEO...

But, now I thinking to tighten up the security:

Is there a way to block execution of scripts from image directories? Ideally I would do this once in the core httpd.conf area so that it worked for all virtual servers running on the box.

Sun, 03/06/2011 - 15:36

PHP makes those sorts of things a bit tricky :-)

I don't know of a good way to do it globally, though you may be able to add certain configuration blocks for each Virtual Server.

There's some ideas of how to do this on Google if you search for "disable script execution for directory" on.

One option is to use a line such as "AddType text/plain .html .htm .shtml .php .php3 .phtml .phtm .pl .py .cgi .js" for your images directory.