I am working on the task of making the PHP file upload safe and my client wants to follow the directions on the website http://www.acunetix.com/websitesecurity/upload-forms-threat.htm
We can follow all the recommendations mentioned on this site to accept the htaccess rule. They mentioned that the following should be done.
Define a .htaccess file that will only allow access to files with allowed extensions. Do not place the .htaccess file in the same directory where the uploaded files will be stored. It should be placed in the parent directory. A typical .htaccess which allows only gif, jpg, jpeg and png files should include the following (adapt it for your own need). This will also prevent double extension attacks. deny from all <Files ~ "^\w+\.(gif|jpe?g|png)$"> order deny,allow allow from all </Files> If possible, upload the files in a directory outside the server root. Prevent overwriting of existing files (to prevent the .htaccess overwrite attack). Create a list of accepted mime-types (map extensions from these mime types). Generate a random file name and add the previously generated extension. Don't rely on client-side validation only, since it is not enough. Ideally one should have both server-side and client-side validation implemented.
So no files other than gif, jpg and png will be executed. But they donβt want htaccess to be in the folder where we upload the images, because this folder has permissions, and htaccess can be overwritten. Therefore, they report saving the file at the root level.
I want to know that if we save the file at the root level and allow only image types, how will my php scripts be executed? When I add this htaccess at the root level, off-course my php scripts do not work and return a permission error. Struggling to get this job.
Can you help me get this working or any other effective way to do this security check. We do not want to maintain security loopholes in the system.
Any help would be appreciated.
Thanks to everyone.
source share