Portal Home > Knowledgebase > Articles Database > apache block photo not working


apache block photo not working




Posted by heropage, 10-29-2013, 03:59 PM
in my httpd.conf file. I use to block access to photo folder. It works fine for most users. But for for some reason, some hacker still be able to access this folder. He uploaded a gif file which contains php codes and execute it http://mysite/photo/123.gif and my site get hacked. I guess he use some software to bypass apache. Also weird thing is : I can not find the log from the apache access log. But I can see it in the error log, because there are some php warning error . So 2 things: 1) how to block the photo folder completely. 2)how to prevent gif execute as php file

Posted by kevincheri, 10-29-2013, 05:50 PM
Deny from all in apache config makes sure it cannot be accessed via the web browsers, other vulnerable scripts can still refer the folder and write to it. Only way you can block is to restrict through permissions.

Posted by heropage, 10-29-2013, 08:57 PM
so doesn't work?

Posted by Julien@Hostabulous, 10-29-2013, 09:00 PM
It works in a browser.. Kevin was clear. If you want to make sure noone access those files, use proper permission on the folder.

Posted by heropage, 10-29-2013, 09:07 PM
thanks! 1 more question. How come there is not server access log when he accessed http://mysite/photo/123.gif ?

Posted by Kailash12, 10-30-2013, 01:45 AM
They may not access that file hence no logs. Since they were able to put malicious file in your image folder, attackers may be able to compromise your other files as well.

Posted by foobic, 10-30-2013, 02:11 AM
So you have some publicly-accessible upload script installed and "most users" are unable to see the photo they've uploaded? Or is there a preview / download option of some kind? That's the sort of thing you need to look for - or anything else that allows access to the uploaded files by scripting. As a general rule if you're not intending to allow web access to particular files it's best to place them completely outside of the web-accessible directories (/var/www/html in this case) but depending on the vulnerability even that may not help.



Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
History count (Views: 614)
mod_frontpage version (Views: 551)