While researching ways to better protect my blog, I discovered a loophole typical for selfhosted sites on shared servers, such as GoDaddy.
The loophole concerns all PHP based CMS (Contents Management Systems), including WordPress, Drupal, Joomla, phpBB, etc…: Many of them allow users to upload files: Forums allow attachments to posts, users can upload their avatar in .jpg format, some comment systems allow code to be embedded. Combine this with shared-hosting services like mine, GoDaddy, which allow files without the .php extension to be executed as if they were PHP code, and you have a hacker’s bomb.
Here is how you can simulate a file drop hack:
- Create a simple text file with a simple text editor and put the following PHP code in it:
php
phpinfo();
?>This code does no harm. The command only displays the basic PHP variables for your site, but a hacker could put any malicious PHP code in it, including code that modifies all files on your site.
- Save it as test.php.jpg
- FTP it to the root of your site
- Execute it in your browser (and you don’t have to be logged in) as:
http://www.yoursite.com/test.php.jpg - If you get a “Page not Found” error, you are cool, and your hosting service protects you from this hacking method. But if you see something like this screen, the output from the php-code you just uploaded, your host is vulnerable:
… and if the code were malicious, the user just dropped a hacker’s bomb on your site….
Sure enough, a user does not have FTP access to your site (I hope!). But… as long as he can upload the file, even as a disguised .jpg file as in our example, and figure out where the uploaded file is stored in your site’s file structure, he can execute it.
How can you can protect your blog from users uploading disguised PHP file? This documented vulnerability can be corrected by adding some code at the bottom of your .htaccess file in the root directory of your blog (or any PHP-based CMS):
- As for any changes you make to any file on your site, first backup the .htaccess file, so you can roll back in case it does not work for you.
- Edit the .htaccess file and add the following piece of code at the bottom:
# BEGIN drop-file hack stopper
RemoveHandler application/x-httpd-php .php
<FilesMatch ".(php|php5|php4|php3|phtml|phpt)$">
SetHandler x-httpd-php5
FilesMatch>
<FilesMatch ".phps$">
SetHandler x-httpd-php5-source
</FilesMatch>
# END drop-file hack stopper - Upload the modified .htaccess file to your root directory
- Now, assuming you still have the test.php.jpg on your root directory, try executing it again with the same command:
http://www.yoursite.com/test.php.jpg
If now, you get a ‘Page not Found’ error, then you are protected. At least for this hack, that is.
One word of caution: this was NOT the method used in the most recent massive hack affecting thousands of sites, as described in this post, but at least it closes one more door for hackers. A door which gives them unlimited access to your website.
Safe blogging!
Cartoon courtesy Life on the Homefront
Peter. Flemish, European, aid worker, blogger, expeditioner, sailor, traveller, husband, father, friend, nutcase. Not necessarily in that order. (
{ 9 comments… read them below or add one }
Excellent tip, thanks!!!!!!!
wow it nice article written here.
good work guys keep it up
Damn! There are so many ways in nowadays that it sure is hard to keep track of them all (not that I am even trying to accomplish that…). And it is so good to see that there are guys like you trying to help in blocking those ways. Haven’t checked my sites yet, but I will start that work now.
this is great thanks! I tried it on one of my sites though and I got neither response. the response i got was:
The image “” cannot be displayed because it contains errors.
…so, what does that mean? Thanks!
That indicates to me that your host or your blogging software already checks the validity of your .jpg file at the time of upload, and blocks it, if it is not a valid .jpg file. Good!
When I add that code to bottom of .htaccess file, I get internal server error, cannot load my blog at all. When I just put up the test “jpg” I was displayed the source code, the php itself.
Chris,
you might need to check with your hosting provider why you would not be able to run the .htaccess code.
They might also provide you with an answer if they have already put up a protection that avoids the execution of php code from a file without a .php extension…
In any ways, as long as people can not execute an uploaded file with hidden PHP code (which shows, but not executes), you should be safe from that loophole.
After last years hacking spree, loads of hosting providers have already tightened all kinds of backdoors (the hidden PHP code upload was one).
Peter
Peter,
I was able to create an .htaccess file in both temp and cache folders of timthumb, using the code you gave. GoDaddy walked me through restoring my blog back to August 5, before all kinds of weird stuff got inserted, including some weird config files in the wp root folders that had Cyrillic at the end. I’ve been logging in every few hours to see if the hacks have reappeared, but all seems okay now. So perhaps the combo of the newest timthumb and the .htacess code worked, plus I also changed my PW to something a lot more secure.
Make sure you also change the FTP password on your site. It seems quite a few hacks on godaddy happened through insecure FTP passwords. (how they got hold of it, is still a mystery…).. so change the FTP password too. (and if you use FTP to transfer files to your site, only use SFTP, which is more secure)…
Hope this helps…
p.