Protect DLE script from running third-party scripts
Dear friends,
In this small article, we would like to talk about how you can improve your site security. As we know the greatest threat to website are encapsulated by an attacker on server PHP shell.
In this small article, we would like to talk about how you can improve your site security. As we know the greatest threat to website are encapsulated by an attacker on server PHP shell.
What is it? This is a PHP script that can run on your server, respectively, to make any changes to the files writable, or can do many things. For example: read contents of configuration files and thus obtain direct access to the database. How can shell get onyour server? There are many ways: vulnerability in DLE script or third party modules, other vulnerable party scripts on server or server software...
Main feature cannot put shell files in any folder on server. So it can do that in writeable folders on server, and in DataLife Engine, there folders are /uploads/ and /templates/, as well as all sub-folders in them. These folders should be writable, because you can upload in them through a script legal content, files, pictures, edit in Admin paneltemplates, and more. So, attacker can put and run shell scripts in these folders, from there, it can access to Datalife Engine and others script on your host. Can I protect these folders without deny access to these folders? It is possible, and not hard enough.
So, you need to put in folders /uploads/ and /templates/ file .htaccess file with the following contents:
Main feature cannot put shell files in any folder on server. So it can do that in writeable folders on server, and in DataLife Engine, there folders are /uploads/ and /templates/, as well as all sub-folders in them. These folders should be writable, because you can upload in them through a script legal content, files, pictures, edit in Admin paneltemplates, and more. So, attacker can put and run shell scripts in these folders, from there, it can access to Datalife Engine and others script on your host. Can I protect these folders without deny access to these folders? It is possible, and not hard enough.
So, you need to put in folders /uploads/ and /templates/ file .htaccess file with the following contents:
php_flag engine offThis line disables the PHP interpreter when trying to access PHP files located in these folders, as well as in all subfolders. Therefore, even in the case of filling in these folders are files with malicious PHP code, they become utterly useless to attacker, cannot run and executed by the server.Unfortunately, not all hosting providers allow you to manage this option through .htaccess file, but we has anoter solution, so if your server is not working above method, then place in these folders .htaccess file with content:
<FilesMatch "\.(php|php3|php4|php5|php6|phtml|phps)$|^$">This code prohibits the direct access to PHP files in those folders.That's all, these simple manipulation will increase the security of your site, even if there is a serious vulnerability in a third-party modules and scripts.
Order allow,deny
Deny from all
</FilesMatch>
you only need this for 9.0 and older because 9.2 and newer has this already...
ReplyDelete