[NOT i-MSCP RELATED] apache 2.4 LocationMatch

  • Debian 8.6
    PHP FCGID
    IMSCP 1.3.8


    Currently we have many attacks on wordpress installations ...
    so I would like to disable php exec for the wp-upload folder and joomla images folder.
    does it work w/ apache 2.4 in this way?

  • No ;)


    First of all, php_value directive is not the right directive here. The right directive would be php_flag.... See http://kvz.io/blog/2007/07/11/…value-php-admin-flag-etc/ or the official PHP documentation if you want learn more.


    Anyway, those directives inside a vhost file or .htaccess file are only applyable when you use PHP as Apache2 module, for instance, with the apache_itk i-MSCP httpd server implementation. That's not your case as far as I can remember.


    Please, remind me the i-MSCP httpd server implementation that you use and I'll provide you with a correct solution.


    Edit: See my next answer.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • @fulltilt


    Ok, according your first post, you use the apache_fcgid i-MSCP server implementation. Solution for you is to add the following content into the /etc/apache2/imscp/<domain>.conf file and once done, restart apache2: service apache2 restart


    Code
    1. <LocationMatch "/wp-content/uploads">
    2. RemoveHandler .php .php3 .php4 .php5 .php7 .pht .phtml
    3. </LocationMatch>
    4. <LocationMatch "/images">
    5. RemoveHandler .php .php3 .php4 .php5 .php7 .pht .phtml
    6. </LocationMatch>

    Note that changes made in the /etc/apache2/imscp/<domain>.conf file are persistent (they are never resetted by i-MSCP on update or reconfiguration).

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • You're welcome.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • @Nuxwin
    is it possible to allow one specific php file w/ this rule?


    Code
    1. <LocationMatch "/images">
    2. RemoveHandler .php .php3 .php4 .php5 .php7 .pht .phtml
    3. </LocationMatch>

    f.ex. a customer have a watermark.php inside the /images folder

  • @fulltilt


    What if the watermark.php script is being overidden (replaced) by hacker?

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • @fulltilt



    Replace:



    Code
    1. <LocationMatch "^/images">RemoveHandler .php .php3 .php4 .php5 .php7 .pht .phtml</LocationMatch>

    by

    Code
    1. <LocationMatch "^/images/(?!watermark\.php$)">
    2. RemoveHandler .php .php3 .php4 .php5 .php7 .pht .phtml
    3. </LocationMatch>


    Don't forget to reload apache2 service.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • @fulltilt


    A better solution in my eyes is:


    Code
    1. <LocationMatch "^/images/(?!watermark\.php$).*\.ph(?:p[3457]?|t|tml)">
    2. Options None
    3. AllowOverride None
    4. Deny from all
    5. </LocationMatch>


    Here, we don't remove the PHP handler. We simply deny access (hence, execution) to any PHP script other than /images/watermark.php, showing end-users appropriate 403 error page instead of PLAIN PHP script (source). Note that I assume here that the watermark.php script don't make usage of PATH_INFO (eg, URL such as /images/watermark.php/<pathinfo>)

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206