I did some testing, but I did it so kickly that in the end I have sent my report e-mails to Oliver - sorry Oliver - in error as it was supposed to be sent to the list, well here is a summary of all the e-mails.
---- !1st e-mail I care a lot, but I know very little about it and I am just waiting to see to what conclusion you both are going to get. Even though I know very little, I will try it myself and report. ---- !2nd e-mail Tested in 1dollar-webhosting servers where my site is hosted (shame), what I get while trying to upload the file called forrest.php, which has the following code inside. -----8x----- <?php echo "<p>Run Forrest! Run!</p>" -----8x----- While trying to upload the file I got redirected to the url bellow: http://codex.wiki.br/cgi-sys/amplugin.shtml That has the following message : " Alerta de segurança O arquivo que você está tentando fazer upload foi rejeitado pelo servidor. Provavelmente, o arquivo contém vÃrus ou trojans que podem danificar seu website. Não tente carregá-lo novamente como seu endereço de IP pode ser bloqueada." The message might be shown in other languages I guess, the encoding is wrong here in this e-mail and where the message is located. ( I believe it also depends on your e-mail reader, browser and encoding detection) Briefly the message says that the file was rejected for upload and if I insist in uploading, my ip could be banned. I could not upload the file even with different extensions, including ".txt" and also trying to make the code hard to detect. This behavior is not good for me as I write code there and I wish I could upload the code as php files, but this is just my situation. ---- !3rd e-mail I have discovered one thing, when using this in .htaccess, and I hope I am doing it right: -----8x----- Options -ExecCGI SetHandler default-handler -----8x----- I just recieve an 404 message when trying to get to "/uploads/". While just using: -----8x----- Options -ExecCGI -----8x----- I can read the folder and access the other folders inside it, even though the folders inside "/uploads/" appear as if they were displayed in the wrong encoding as well, as some of the words forming folder names use diacritics. This is my report. CarlosAB 2013/3/13 Petko Yotov <[email protected]> > I'd like to read some opinions from different people about this question - > if you can do some tests on your own servers, please find out what > .htaccess settings disallow script execution for the uploaded files on your > wiki, and report here. > > Thanks! > Petko > > Oliver Betz writes: > >> In addition, I suggest to completely disallow execution of scripts in >> upload directories. >> >> For Apache .htaccess I found: >> >> "Options -ExecCGI" - that's very effective in usual virtual hosting >> environments but doesn't help for languages running as module. >> >> "SetHandler default-handler" works also for script languages running >> as module. >> >> Before I add this information to the PmWiki documentation, I would >> appreciate comments from people with better Apache knowledge. >> > ---- Codex http://codex.wiki.br/
_______________________________________________ pmwiki-users mailing list [email protected] http://www.pmichaud.com/mailman/listinfo/pmwiki-users
