Title: Fix for uploads directory code execution doesn't work Last modified: August 30, 2016 --- # Fix for uploads directory code execution doesn't work * [David Santucci](https://wordpress.org/support/users/dsantucci/) * (@dsantucci) * [10 years, 8 months ago](https://wordpress.org/support/topic/fix-for-uploads-directory-code-execution-doesnt-work/) * Overall this is a great plugin, but I have one small criticism: your recommended fix to prevent code execution for uploaded files won’t work under common default Apache/PHP configurations. * Your recommended fix allows requests only for files ending with certain whitelisted extensions: * ``` Order deny,allow Deny from all Allow from all ``` * The problem is that Apache out of the box processes *multiple* file extensions and passes off execution to any handlers registered for them. (The default Apache PHP config also allows execution for multiple file extensions.) * So, even with the above directive in place, PHP code in a file called “evil.php. png” will still execute under common default configurations. * (See [http://httpd.apache.org/docs/2.2/mod/mod_mime.html#multipleext](http://httpd.apache.org/docs/2.2/mod/mod_mime.html#multipleext)) * The solution is probably something like this (I haven’t tested it): * ``` SetHandler default-handler ``` * as described here: [http://stackoverflow.com/questions/18932756/disable-all-cgi-php-perl-for-a-directory-using-htaccess](http://stackoverflow.com/questions/18932756/disable-all-cgi-php-perl-for-a-directory-using-htaccess) * [https://wordpress.org/plugins/gauntlet-security/](https://wordpress.org/plugins/gauntlet-security/) Viewing 1 replies (of 1 total) * Plugin Author [Cornelius Bergen](https://wordpress.org/support/users/cbergen/) * (@cbergen) * [10 years, 8 months ago](https://wordpress.org/support/topic/fix-for-uploads-directory-code-execution-doesnt-work/#post-6602086) * I like the whitelist approach since anything other than a known static file should simply return ‘Forbidden’ which is, I think, a good response. With the SetHandler method, PHP files are actually downloaded. * The multiple extensions issue is very real though and should be addressed. I wonder if it would be worth trying to fix that issue closer to the web root rather than just the uploads folder. Here’s an old but relevant discussion: [https://core.trac.wordpress.org/ticket/11122#comment:8](https://core.trac.wordpress.org/ticket/11122#comment:8) * Maybe something like this should be recommended for the root .htaccess file ( only if the server is deemed vulnerable)?… * ``` SetHandler default-handler SetHandler application/x-httpd-php ``` * This is untested as well. But if it works, I would prefer to leave the uploads directory fix as-is. * Thanks for the suggestion! I’ll be testing this on a vulnerable server and will definitely consider this for the next release. Viewing 1 replies (of 1 total) The topic ‘Fix for uploads directory code execution doesn't work’ is closed to new replies. * ![](https://ps.w.org/gauntlet-security/assets/icon-256x256.png?rev=988768) * [Gauntlet Security](https://wordpress.org/plugins/gauntlet-security/) * [Frequently Asked Questions](https://wordpress.org/plugins/gauntlet-security/#faq) * [Support Threads](https://wordpress.org/support/plugin/gauntlet-security/) * [Active Topics](https://wordpress.org/support/plugin/gauntlet-security/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/gauntlet-security/unresolved/) * [Reviews](https://wordpress.org/support/plugin/gauntlet-security/reviews/) ## Tags * [apache](https://wordpress.org/support/topic-tag/apache/) * [htaccess](https://wordpress.org/support/topic-tag/htaccess/) * 1 reply * 2 participants * Last reply from: [Cornelius Bergen](https://wordpress.org/support/users/cbergen/) * Last activity: [10 years, 8 months ago](https://wordpress.org/support/topic/fix-for-uploads-directory-code-execution-doesnt-work/#post-6602086) * Status: not resolved