I'm helping someone out with a Wordpress 3.8 install on an older Hostgator account that uses PHP 5.2.17. I'd like to make use of some plugins which require 5.3+ .
According to Hostgator docs you should be able to simply add:
# Use PHP 5.3
AddType application/x-httpd-php53 .php
to your .htaccess file and get the desired result.
However, after adding these lines to the top or bottom of /public_html/.htaccess I get prompted to download a file in my browser when trying to visit the site:
Is there something obvious that could be causing this?
It happened to me so many times.. just check you have this on your .htaccess (When your files are uploaded to Hostgator)
# Use PHP 5.3
AddType application/x-httpd-php53 .php
and be shure you have the same thing, but commented... using # on the .htaccess lines for your locakhost (because you must have already php 5.3 or later)
# Use PHP 5.3
#AddType application/x-httpd-php53 .php
This fixed me the same issue you had, but in my local.. because i can't see your http://** i don't know if that was on your local
Best regards. :)
I got more clarification on the hosting environment. It is a HostGator VPS, which the docs state you need to submit a ticket - and not edit htaccess - to upgrade PHP.
I noticed that it's possible to run a file via PHP even if its extension wasn't .php, for example file test.xyz.php.whatever.zyx can be still run with PHP even when the extension isn't .php! It just happens to have .php. in the filename, and that's enough for my Apache to run the PHP script.
I tried (as someone suggested) to put this in a .htaccess file on that folder:
php_flag engine off
But it didn't work on my machine.
The only solutions I know for now are:
Rename to known file extension, which is not run via PHP, such as .txt.
Remove all dots from the filename, thus making it extensionless.
But I'm still not sure how these solutions would work on other servers than my Windows server (with Apache).
Is there any other solutions which doesn't need the filenames to be renamed in any way?
for uploading by users I suggest that you upload a folder in a layer above the root path
in this case Only You Have Access To upload folder( In direct addressing)
and an attacker have not access to any files in this folder
Thus you disable an attacker action to run malicious file
To be completely secure, you'll need to do a couple of things:
Set your upload directory above your "public" folder, making it inaccessible from a browser. This setting is in php.ini (php config file). You'll need to restart Apache for this to take effect. On most Redhat / Fedora / CentOS web servers, this can be:
upload_tmp_dir = "/var/tmp/"
OR, on my local Windows 7 WAMP install, it is set to:
upload_tmp_dir = "c:/wamp/tmp"
Disable scripts from running on that directory (c:/wamp/tmp), in .htaccess:
RemoveHandler .php .phtml .php3
RemoveType .php .phtml .php3
php_flag engine off
In your PHP script, get the uploaded file, filter it based on mimetype (not filetype extension), change the filename, and put it into a secured publicly accessible folder. In more detail:
create a whitelist of filetypes, ex: only images (jpeg, png, gif, bmp). This can be done using mime_content_type() http://php.net/manual/en/function.mime-content-type.php or the newer finfo_file() http://us3.php.net/manual/en/function.finfo-file.php
choose a new filename, often it's best to use a random MD5 hash based on the original filename + salt + timestamp.
move it to a public folder, ex: "c:/wamp/www/project_name/public/uploads"
Preferably use an MVC framework, such as Zend Framework, which includes filetype filtering.
If you do all of that, you should be secure. Obviously you'll never be 100% safe, since there are countless obscure exploits targeting PHP, MySQL, the command line, etc, particularly on older systems. On larger company webservers (what I work on), they disable everything, and selectively enable only what is required for the project. With a system such as WAMP, they enable everything, to ease local development.
Good practice for working on a professional project is to get a cloud server account with Rackspace or Amazon, and learn how to configure php.ini, and httpd.conf settings, as well as PHP security best practices. In general, do not trust the users input, expect it to be corrupt / malicious / malformed, and in the end you'll be secure.
First of all you need to understand what happens here:
test.xyz.php.whatever.zyx
Such a file on a webserver on it's own would do nothing. Only added configuration does tell Apache to execute PHP on that file.
So if you remove that added configuration, Apache won't care to find .php in there - be it at the very end or part of a stacked file-extension.
Check which handler you have set for php in your server configuration. Remove it for the upload directory. This then won't resolve any other configuration issues you might have with uploaded files, however PHP files aren't executed by PHP any longer then - which is what you want if I understood you right.
If you've got a problem to find out what this is about, you need to post your PHP configuration in your httpd.conf file and associated Apache HTTPD configuration files for your system.
The directive somebody told you for .htaccess:
php_flag engine off
does only work if you're running PHP as an apache SAPI module.
Instead of php_flag engine off you could remove the handler for PHP files using an .htaccess file for a single directory.
In the directory you are disabling PHP in, your .htaccess should include:
RemoveHandler .php .phtml .php3 .php4 .php5
RemoveType .php .phtml .php3 .php4 .php5
You can likely get away with the below however, depending on which AddHandler types you have configured in your default Apache configuration, which, on windows, should be in C:\Program Files\Apache<version>\conf\httpd.conf
RemoveHandler .php
RemoveType .php
You will also need to ensure that in your main apache configuration file, that the directory containing the .htaccess file is in, is covered by a Directory statement which has AllowOverride FileInfo set. You may wish to consider AllowOverride All if you will be using .htaccess files for other purposes - see the Apache documentation for AllowOverride for an explanation of the differences.
Personally, this is the main reason I no longer upload files to the web server under any circumstances. Instead, I use S3 / Amazon SDK to move the uploaded temp file directly to a bucket on S3 with Private permissions (I use S3, any other CDN will work just as well). If the file needs to be viewed or viewed by a web client, I use a "getter" function of sorts that integrates with the SDK to get the file and display it.
There are just so many uncontrollable variables that come into play whenever you allow any kind of file upload to a web server, it can be difficult to manage permissions, filtering, and even just space. With S3 (or any other CDN), that is all very easy to manage, and all files are effectively quarantined from the server by default.
On Apache you could disable all dynamic handlers for the directory that contains the untrusted files.
SetHandler default-handler
this is not really good answer but hope useful in some special cases ...
you can use mod_rewrite in .htaccess file like this :
RewriteRule ^(.+).xyz.php.whatever.zyx$ index.php?openfile=$1 [NC,L]
and inside your index.php file :
$file = secure_this_string($_GET['openfile']);
include($file.'.xyz.php.whatever.zyx'); # or some other files
remember to see this answer for security reasons StackOverFlow
and in test.xyz.php.whatever.zyx file :
<?php echo 'hello';
now if client requests /test.xyz.php.whatever.zyx file , out put should be 'hello'
A simple regex would do the job
<?php
$a = strtolower($_FILES["file"]["name"]);
$replace = array(".php", ".phtml", ".php3", ".php4", ".php5");
$_FILES["file"]["name"] = str_replace($replace, "", $a);
?>
This works fine on any server
The following .htaccess-code could work and deny access to files containing "php":
<FilesMatch "php">
Deny from all
</FilesMatch>
I could reproduce your issue quite easily on our server. There is a way to fix this, you need to edit /etc/mime.types and comment out lines
#application/x-httpd-php phtml pht php
#application/x-httpd-php-source phps
#application/x-httpd-php3 php3
#application/x-httpd-php3-preprocessed php3p
#application/x-httpd-php4 php4
#application/x-httpd-php5 php5
These lines cause anything with .php in name to be processed.
Once you comment out the entries in mime.types, mod_php config in /etc/apache2/mods-enabled/php5.conf has this entry which correctly only processes files ENDING with .php
<FilesMatch "\.ph(p3?|tml)$">
SetHandler application/x-httpd-php
</FilesMatch>
What is REALLY SCARY is that this is a default config (Ubuntu 10.04 in our case).
EDIT
On Windows the mime.types file should be in apache_home/conf/mime.types
I'm having a problem with my customer's host.
The host has configured the server in a way that php4 and php5 co-exist.
If you want to use php4, you just have to use a .php extension for your files.
If you want to use php5, you have to use a .php5 extension.
The problem with this configuration is that I'm using a system which has a codebase of 5000+ files all having a .php extension, but using native features of php5.
Is there a way to avoid having to rename every file to a .php5 extension and having to rewrite a small part of the codebase?
That depends on your host. You can override the handler for file types with this directive put in an .htaccess file, as long as your host hasn't disallowed it:
AddHandler php5-script .php
by default apache will load php interpreter with .php extension. Somep\how php interpreter also called with this kind of extension .php.fr . How to disable this language extension?
The .fr is being interpreted as French during content negotiation by Apache. This is probably because you have Options +MultiViews and MultiviewsMatch Handlers are both set. Getting rid of either should stop .php.fr from working, but changing this may break other pages. (Assumably, you enabled both for a reason). Also, I'm not completely sure if MultiVideosMatch applies to PHP, but Options +MultiViews definitely does.
If you're trying to make sure people can't upload PHP files and have your webserver execute them, instead of just blacklisting extensions, use php_admin_flag engine off to turn off PHP in that location:
<Location /uploads>
php_admin_flag engine off
</Location>
you can setup the extensions interpreted by Apache on 2 Places.
httpd.conf
AddType application/x-httpd-php .phpx
Will load .phpx files as PHP Scripts
mime.type
application/x-httpd-php phpx
My ISP requires me to put the following in my .htaccess files:
AddType x-mapp-php5 .php
But that breaks my development machine.
I don't really understand what that directive is for, but I'm sick of commenting it out for dev, and uncommenting it whenever I need to upload a new version.
Is there some way of supporting it in dev?
You could try the <IfModule> Apache directive to distinguish your development machine from the production machine.
E.g. the following would work if you're running PHP as an Apache module, and your ISP runs it as CGI:
<IfModule !mod_php5.c>
AddType x-mapp-php5 .php
</IfModule>
You could also check for the existence of a PHP4 module.
Or you could pass a startup parameter to Apache on your development machine and check for that using <IfDefine>.
This merely tells the web server that files with the extension .php are to be handled by the PHP module.
But I would recommend asking web-server related questions on serverfault.com, where your question won't get closed (with the reason belongs on serverfault.com) and where you will receive much better answers than here.