Securing PHP application from malicious scripts

If you’ve stumbled across this post, then you’ve recently become a victim of the most famous way of uploading a malicious script to a website – PHP file uploads.

Many websites and web applications that are developed using PHP & MySQL allow users to upload files, photos and documents to the server. Normally, the upload script receives the files and moves (or writes) it to a directory (folder) with write permissions. If you are on Linux, then this would mean that your folder CHMOD value is 0777.

The Problem
The changing of CHMOD value to 0777 practically allows anyone in the WORLD to write to your folder and is therefore not recommended. However, many a times we are left with no option but to do so – depending on the servers’ environment.

How can this be a problem?
This allows attackers to upload upload a malicious PHP script to your directory, which they will then execute by accessing it. This script could either be a mass-mailing script or a malicious script to gain access to your account (or web server).

The Solution
It is said that prevention is better than cure – and therefore, it is important to prevent these scripts from being executed by the server. This can very simply be done by adding a few lines of code to your .htaccess file. If your directory is supposed to hold photo files only, then the following code is recommended to prevent scripts from being executed.

It is also important to disable directory listing on these folders.

# Disable Directory Listing
Options All -Indexes

# Allow access to these file extensions only
<FilesMatch ".(htaccess|htpasswd|ini|php|cgi|pl|phps|sh)$">
 Order Allow,Deny
 Deny from all
</FilesMatch>

The above will add an extra layer of security to your web application.

How to tar a file using SSH?

Use the following command if you want to create a tar and compress a file (or folder).

tar -czf /path/to/save/file.tar folder_or_file_name

The options used in the above command are outlined below for your understanding.

-c = create
-z = compress a file
-f = use the file mentioned instead of tape drive

SSH ls pagewise or limit long output

If your SSH ls command output is really long, and cannot be viewed on screen – you can use the following command to part of it with a more command to continue down the list.

ls [options here] | more

Example:-

ls -l | more

My 22nd Birthday

I was born around this time around 22 years ago.

Thank you to everybody for your thoughtful birthday wishes via phone call, text message, email and facebook!