steve miller wrote:
Thanks Dave.
The one gallery I was interested in was coppermine, which requires 777
on certain directories that by design already contain some php files and
other misc stuff. Since I may not have the skill to re-write some of
these applications, is it possible to add some stuff to an htaccess file
to stop new uploads of certain types? I have seen suggestions like:
< FilesMatch
"\.(inc|tpl|h|ihtml|sql|ini|conf|class|bin|spd|theme|module|exe|php)$" >
deny from all
< /FilesMatch >
You can't use something like that to stop the files being uploaded, as
Apache doesn't see the files; the file being uploaded is just a stream
of data that's posted to whatever script is going to handle the upload.
Using something to deny access to any files in the image directories
except images /might/ help to prevent an attacker from getting evil
scripts to execute after they've been uploaded, but the correct solution
is to ensure that the gallery software will not allow malicious stuff to
be uploaded in the first place.
Will untrusted users be able to upload stuff, or will uploading be
limited to trusted users only? If trusted users only, then, as long as
the software has no silly holes in it, you should be relatively safe.
Cheers
Dave P
____ The WDVL Discussion List from WDVL.COM ____
To Join wdvltalk, Send An Email To: mailto:[EMAIL PROTECTED] or
use the web interface http://e-newsletters.internet.com/discussionlists.html/
Send Your Posts To: wdvltalk@lists.wdvl.com
To change subscription settings, add a password or view the web interface:
http://intm-dl.sparklist.com/read/?forum=wdvltalk
________________ http://www.wdvl.com _______________________
You are currently subscribed to wdvltalk as: [EMAIL PROTECTED]
To unsubscribe send a blank email to [EMAIL PROTECTED]
To unsubscribe via postal mail, please contact us at:
Jupitermedia Corp.
Attn: Discussion List Management
475 Park Avenue South
New York, NY 10016
Please include the email address which you have been contacted with.