: Prevent script execution as TimThumb exploit workaround It's been a long time since I've done any web-development, and I never needed to administer a server myself. However, I can read manuals

It's been a long time since I've done any web-development, and I never needed to administer a server myself. However, I can read manuals with the best of them, and when someone needed advice regarding a wordpress installation vulnerable to the TimThumb exploit, I told them to add the follwing to their httpd.conf:

<Directory "/path/to/cache/directory">

# disallow changing options with a .htaccess file within the cache directory
AllowOverride None

# disable all extra features, including CGI scripting
# prevents malicious code from running
Options None

# don't let users browse cached files
# prevents the attacker from triggering script execution
Deny from all

# explicitly disable php - shouldn't be necessary, but just in case ;)
php_flag engine off

</Directory>

Was that advice sound? In particular, is this the correct choice of directives to prevent any script execution?

10.01% popularity Vote Up Vote Down

: What is the Google link equivalent in Yahoo and Bing? The link: directive in Google will find all pages which link to a given site. E.g. putting this in Google: link:stackexchange.com returns

@Si4351233

Posted in: #SearchEngines

2 Comments

: How to interpret Events from Unique Events in Google Analytics? I'm trying to add some javascript triggered Google Analytics events to a website that is already working with GA. I've included

@Si4351233

Posted in: #GoogleAnalytics #Javascript

3 Comments

: I have a number of domains redirecting to a canonical one for the church website I run. It does use virtual hosts (my hosting company's control panel sets that all up); in the DocumentRoot

@Si4351233

0 Comments

: Which CMS system for a community based site? I am a grey-haired professional programmer, quiet conversant in PHP, MySql, HTL, CSS which means I can tweak things or code plugins if need be,

@Si4351233

Posted in: #Cms #Community

2 Comments

Login to post a comment!

1 Comments

Sorted by latest first Latest Oldest Best

@XinRu657

Yes, those directives will effectively prevent script execution for any malicious scripts which may be written to that directory, however, you should definitely look at patching or removing any scripts which allow drive-by uploads to your cache directory from unauthenticated or untrusted users.

10% popularity Vote Up Vote Down

Feed

: Prevent script execution as TimThumb exploit workaround It's been a long time since I've done any web-development, and I never needed to administer a server myself. However, I can read manuals

More posts by @Si4351233

: What is the Google link equivalent in Yahoo and Bing? The link: directive in Google will find all pages which link to a given site. E.g. putting this in Google: link:stackexchange.com returns

: How to interpret Events from Unique Events in Google Analytics? I'm trying to add some javascript triggered Google Analytics events to a website that is already working with GA. I've included

: I have a number of domains redirecting to a canonical one for the church website I run. It does use virtual hosts (my hosting company's control panel sets that all up); in the DocumentRoot

: Which CMS system for a community based site? I am a grey-haired professional programmer, quiet conversant in PHP, MySql, HTL, CSS which means I can tweak things or code plugins if need be,

Login to post a comment!

1 Comments

Back to top | Use Dark Theme