jamieburchell Posted October 20, 2015 Report Share Posted October 20, 2015 (edited) I'm always weary of third party software recommending or requiring setting directory permissions to 777. Is it possible to deny direct access to PHP files in these directories or will it break the software?./var ./var/templates_compiled ./var/plugins ./var/plugins/DataObjects ./var/plugins/recover ./var/cache ./www/images ./www/admin/plugins ./pluginsSpecifically using an Apache configuration like this, which would be fine providing the PHP files are only included and not accessed directly:<Directory ~ /(var|www/images|www/admin/plugins|plugins)/> php_admin_flag engine off <Files *.php> Order Deny,Allow Deny from all </Files> </Directory> We've been bitten a few times with leaky software that has enabled PHP files to be created in writeable directories and executed to install web shells. This attempts to reduce that risk by disabling PHP execution/denying PHP access directly in the browser. Edited October 20, 2015 by jamieburchell More info Quote Link to comment Share on other sites More sharing options...
Ian Posted November 2, 2015 Report Share Posted November 2, 2015 That could work, but might be tricky with updating. For delivery just the "www/delivery/*.php" files need to be available for the outside world. For the images you should be fine with that config, no PHP files should be in there. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.