We’ve noticed recently a small number of customer websites have had issues with defacements and generally having malicious content added to them and they’ve all had one thing in common – The way in which they were hacked. In all instances recently it has been down to the sites allowing users to upload content to them.
The problems with this are:
- Most scripts upload to a publicly accessible directory
- Most scripts don’t even perform basic content checks
- Most scripts allow any type of file to be read/executed from the upload directory
When we combine all 3 together we end up with a situation where someone can upload a PHP script to your uploads directory and then trigger the running of it from their web browser – basically giving themselves the same level of access to your account as you would have via FTP (As we run PHP under each users own username via SuPHP so that one users problems can’t affect another user).
So what do we recommend?
- Keep your upload directory outside of your document root (generally public_html) if you possibly can
- Make sure your upload scripts only allow the content you want to be uploaded – basically check it against a whitelist, if it’s not in the whitelist don’t allow it. Deny everything, allow only what you require
- Make sure only content you allow can be accessed from the upload directory, you can do this with a .htaccess file, an example is shown below:
Allow only JPEG, GIF and PNG files to be accessed:
<FilesMatch ".*"> Deny from all </FilesMatch> <FilesMatch ".(jpe?g|gif|png)$"> Allow from all </FilesMatch>
There are more things that can be done, but these should serve as a starter for improving your site security.