Program upload prevention through Server Configuration

Server Configuration preventsProgramUpload Vulnerability

[ArticleAuthor: Sun Li link: Http://www.cnblogs.com/sunli/ Updated on:]

1. Cause

A discuz Forum suddenly hangs an IFRAME Trojan on the top of each page on the morning of a rest day. First, it must be the first time to find out where the trojan is mounted. After analysis, there is a very dangerous PHP Trojan file in the server's attachments directory. You can do a lot of dangerous things on the server, oh, my God!
1. Search for vulnerabilities

When the problem arises, we need to solve it. To solve the problem, we need to know where the problem is. Unfortunately, there are also many possibilities for such a problem. Are the servers attacked and put up? Which of the following did the employee leave? Program upload vulnerability?

The intrusion into the server is unlikely, because the current security protection should be okay. The staff leaving and uploading vulnerabilities are possible. It is difficult to detect upload vulnerabilities and sometimes it is difficult to know where the vulnerabilities of a program are.

3. Solution

when ASP was so popular, dvbbs once revealed an upload vulnerability, causing medium and small forums in China to suffer. Once I tested it, I could easily upload an ASP Trojan Horse and access any corner of the server. To prevent this vulnerability, I removed the script permission for the upload directory on IIS, so that even if a trojan file is uploaded, it is only used for parsing a text file, but it poses any threat to the server.
Why isn't PHP's Linux Server doing this? Negligence? I think it may be related to the division of labor between developers and O & M personnel.
for nginx currently used in the forum, I will discuss how to prevent such vulnerabilities in nginx configuration.

location ~ /Attachments/. * \. php $ {root/data/httpd/htdocs;} location ~ /Customavatars/. * \. php $ {root/data/httpd/htdocs;}

you can add the above lines in PHP parsing to prevent php access to the attachements and customavatars directories from passing through FastCGI. In this way, php Code is displayed directly in the open PHP file, and PHP will not be explained. If you use the single-entry mode of some php mvc frameworks, you only need to explain the permissions to index. php.

Similarly, if you use JSP, a proxy such as Apache and nginx may exist in the previous section to separate static files and JSP dynamic requests, you can also process all requests in the upload directory as static files. If you use Asp.net and ASP, you can remove the script permission of the specified directory on IIS.
3. remarks

Sometimes, the server configuration of O & M personnel can compensate for program vulnerabilities. On a large website, the uploaded content is separated from the Web server, which can effectively avoid the Upload Vulnerability. However, this is the same principle as previously mentioned, the upload directory cannot grant the dynamic script execution permission to visitors.