• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

test.php.jpg should not execute PHP but does!

G

grumpydev

New Pleskian
Can someone please explain to me WHY this would execute on a PLESK configured domain?! This seems like a massive security issue.
 
if you have not customize domain's virtual hosting templates, you can perform following workaround:

mkdir -p /usr/local/psa/admin/conf/templates/custom/service

cp /usr/local/psa/admin/conf/templates/default/domain/domainVirtualHost.php /usr/local/psa/admin/conf/templates/custom/

than create files with following content:

cat /usr/local/psa/admin/conf/templates/custom/service/php.php
<IfModule <?php echo $VAR->server->webserver->apache->php4ModuleName ?>>
<Files ~ (\.php$)>
<?php
if ($OPT['enabled']) {
echo "php_admin_flag engine on\n";

if (isset($OPT['settings'])) {
echo $OPT['settings'];
}

} else {
echo "php_admin_flag engine off\n";
}
?>
</Files>
</IfModule>

<IfModule mod_php5.c>
<Files ~ (\.php$)>
<?php
if (array_key_exists('enabled', $OPT) && $OPT['enabled']) {
echo "php_admin_flag engine on\n";

if (isset($OPT['settings'])) {
echo $OPT['settings'];
}

} else {
echo "php_admin_flag engine off\n";
}
?>
</Files>
</IfModule>

cat /usr/local/psa/admin/conf/templates/custom/service/php_over_cgi.php
<Files ~ (\.php$)>
SetHandler None
AddHandler php-script .php
Options +ExecCGI
allow from all
</Files>

cat /usr/local/psa/admin/conf/templates/custom/service/php_over_fastcgi.php
<IfModule mod_fcgid.c>
<Files ~ (\.php$)>
SetHandler fcgid-script
FCGIWrapper <?php echo $VAR->server->webserver->apache->phpCgiBin ?> .php
Options +ExecCGI
allow from all
</Files>
</IfModule>
 
Anyway if you allow in your web application upload of files you have to check mime-type of uploading files and disable execution for special folders like /image for example.
 
Thanks for the quick response to this. Do these changes take effect immediately after a restart? How do I make sure these changes get applied?

Thanks again!
 
After creating files you have to update domain's hosting configuration, for example change PHP handler or switch on/off Perl support and save changes.
 
OlegN said:
Anyway if you allow in your web application upload of files you have to check mime-type of uploading files and disable execution for special folders like /image for example.
Click to expand...

I strongly agree with this statement. Unfortunately, we do not perform code reviews of all sites that are hosted by us, thus having this functionality by default seems really scary.

Thanks again!
 
You must log in or register to reply here.

Similar threads

Jan Bludau
Input For security reasons: Turn off outputting PHP Version and also Webserver Version
Replies
0
Views
454
Jan Bludau
Jan Bludau
W
Resolved 6 identical (default) task in the scheduled tasks overview
Replies
7
Views
1K
Wolfgang Reidlinger
W
Pascal_Netenvie
Resolved Prevent PHP-FPM to execute .php? files
Replies
6
Views
1K
Pascal_Netenvie
Pascal_Netenvie
C
Issue New Configuration not created
Replies
3
Views
368
Peter Debik
P
Y
Issue problem with DNS configuration
Replies
3
Views
848
Peter Debik
P
Back
Top