Proper CHMOD for image upload directory?

[zettageek]

Greetings All!

 

This is my first post here, so I'd like to extend a big HELLO to everyone! I look forward to learning more about PHP from all the advanced PHP developers who frequent these forums.

 

I've taken over management of a website that was recently compromised through use of a MULCI shell, as well as SQL injection. I've been working to tidy everything up, and have turned my attention to the image upload directory. Users have the ability to upload images to the website. I believe it could be possible that a user uploaded a PHP script (the MULCI shell) into the image uploads directory, and executed it their to compromise my website.

 

I talked with a Linux security analyst who recommended that I CHMOD that directory to not allow execution of PHP files. Problem is, I'm not sure what permissions should be set to achieve such action, and this is a Rackspace Cloud Site, so I do NOT have terminal access.

 

I tried setting some of my own CHMOD permissions, but it broke loading of images in the site.

 

I'm open to any suggestions.

 

Thanks.

Edited January 11, 2013 by zettageek

[zettageek]

A few clarifications:

• This site is built on top of SMARTY.
  
• Not just any users can upload images, they need an admin account first. That being said, I think they got into the admin area through SQL injection, and uploaded the shell through the exploited CMS. (I'm locking the CMS up right now.)
  
• I tried CHMODs 644 and 666 on the image upload directory. Both broke the images on the site from displaying in the browser.
  

[jcbones]

I would go with 755 unless you are assigning FTP users, then use 775 making sure the FTP user is in the proper group.

[zettageek]

Thank you, jcbones. I'll give this a try and get back to you shortly.

[requinix]

chmod won't prevent this: changing the directory doesn't matter because it's just the directory and changing files doesn't matter because they're not executed (literally speaking) (probably).

 

A few options:

 

* Assuming you're using Apache, use a .htaccess in the folder to 403 anything that isn't an image. You can then look through access logs to find any requests for a file that 403s.

<FilesMatch "\.(?!gif|jpe?g|png|other file extensions)$">
    Order allow,deny
    Deny from all
</FilesMatch>

* Or you can serve up non-images as plain text (or something else)

<FilesMatch "\.(?!gif|jpe?g|png|other file extensions)$">
    ForceType text/plain
</FilesMatch>

* Other options include fixing the upload script to as to not allow non-images to be uploaded...

[zettageek]

@jcbones The CHMOD change has been applied, and the images are loading correctly. Thanks!

 

@Gurus I like the idea of 403ing everything that isn't images, so I'll go ahead and apply your first .htaccess solution.

 

I'll let you know how this turns out...

 

Thanks again for your help, I'll report back shortly.

[Christian F.]

Another thing you should do, is have the image uploader script verify that it's actually an image. Not just checking the MIME type or the filename, but verifying the contents of the file. This can be done with the imagecreatefrom* () functions.

 

Putting the files in a folder outside of the folder root, using a PHP script to to retrieve the file contents and send it to the browser, is another method you could employ. This way it would be impossible for the attackers to have the file be executed by the web server, not to mention the fact that you wouldn't need to save it with the same name as what your users sees.

You could easily build some access controls on top of that again, to further benefit from the script.

[zettageek]

@requinix I copied the contents of your .htaccess file into NANO, and saved it as .htaccess. File contents below:

 

<FilesMatch "\.(?!gif|jpe?g|png)$">
   Order allow,deny
   Deny from all
</FilesMatch>

 

To test and see if the .htaccess file would keep PHP files from running, I wrote the following PHP script and uploaded it into the uploads directory:

 

<?php

echo 'Script works!';

?>

 

Unfortunately, my PHP script is still running in the browser, even though we've CHmodded and added the .htaccess. Have I missed something?

 

@Christian F. I'm looking at implementing something like that, though it may be difficult. The site is massive, and disorganized. It'll be a bit of a challenge, so I wanted to at least disable PHP in that exploited directory as a first step, then work through cleaning the code up.

[requinix]

Are you allowed .htaccess files at all? If you're not sure then put random nonsense in there and see if you get a 500 trying to browse anything in the folder.

[zettageek]

Are you allowed .htaccess files at all? If you're not sure then put random nonsense in there and see if you get a 500 trying to browse anything in the folder.

 

Yep, if I put a bunch of gibberish in the .htaccess and upload it, everything in that directory 500s. So basically, I need the correct .htaccess configuration for only allowing images.

 

Anyone?

 

Thanks again, ya'll are great!

[MDCode]

.htaccess is a little shady for me. But give this a try:

Order Deny,Allow
Deny from all

<FilesMatch "\.(gif|jpe?g|png)$">
Order Deny,Allow
Allow from all
</FilesMatch>

 

This should allow only access to the specified image extensions

[zettageek]

Thanks, SocialCloud! I'll give this a try today and let you know if it works.

[zettageek]

.htaccess is a little shady for me. But give this a try:

Order Deny,Allow
Deny from all

<FilesMatch "\.(gif|jpe?g|png)$">
Order Deny,Allow
Allow from all
</FilesMatch>

 

This should allow only access to the specified image extensions

 

That solution worked PERFECTLY. Thank you so much for your help. Everyone was so responsive and helpful!