ALL4739 Posted December 24, 2013 Posted December 24, 2013 Have old 2.2.3 that has a problem with hackers uploading .PHP files in the image folder and executing a complet website from that location. Have a donated script: http://addons.oscommerce.com/info/7894 that appears it will work but can't find the Web Configuration file it refers to. Anyone???
MrPhil Posted December 24, 2013 Posted December 24, 2013 It's in a zipped folder, which you can extract with Windows Explorer. That said, I'm not sure how a web.config file works or where it goes. It doesn't appear to be an .htaccess file, which is the usual way to protect a Linux (Apache server) directory. Maybe it's for IIS?
ALL4739 Posted December 25, 2013 Author Posted December 25, 2013 I went back and looked at the addon and it is a zipped file and does mention IIs. I think you are right. You mention the .htaccess file. There is one in the image directory, I wonder if this exposure to the image file was corrected with a new version of OS? I just need something to keep .php files from being loaded into the image folder. Maybe where all the defines are in the config file would be a place to look. Any suggestions from anyone would be a great help. I am 71 and the ol noggin isn't what it used to be. (neither is the website)
MrPhil Posted December 25, 2013 Posted December 25, 2013 This is the standard /catalog/images/.htaccess file, used to prevent PHP files from being executed from images: # $Id$ # # This is used to restrict access to this folder to anything other # than images # Prevents any script files from being accessed from the images folder <FilesMatch "\.(php([0-9]|s)?|s?p?html|cgi|pl|exe)$"> Order Deny,Allow Deny from all </FilesMatch> Options -Indexes Note that it doesn't prevent such files from being uploaded in the first place -- that sounds like you may have overly generous permissions in the directory, such as 777 (should be 755). Also, some hosts don't allow "Options" commands, so you may have to comment out (#) that line if you get a 500 or Internal Server error.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.