PHP Security Fix?

Is this a real or merely theoretical concern?

Is it worth modifying my relevant PHP code?

Quick Joomla Security Tip: Disable PHP Execution in the Images Folder

We have been securing/cleaning Joomla websites for so long that we have identified the three-step process a malicious attacker performs to hack a Joomla website:

Disabling PHP execution in the images directory will mean that even if someone sneaked a PHP file to your images directory, it won’t be executed. In fact, when the attacker tries to execute the malicious script, he will only see the code. Nothing will happen!

http://www.itoctopus.com/quick-joomla-security-tip-disable-php-execution-in-the-images-folder

It’s considered a security risk since the image folder (as any other upload folder) usually allows a user to upload files. If a malicious user somehow manage to upload code, and is then allowed to execute this code, you are basically owned.

There is no reason not to disable code execution in folders like this, no code changes are necessary. It can be done in your web server config, or also htaccess files if using apache.

Would you say that setting Permissions to 644 would cover the need?

Thanks - David

No, folders that should not contain executable code, especially if the user can upload files to the folder, should be set to not execute code in your web server software.

See this stackoverflow that explains it with examples, take note of AllowOverride none, which will stop malicous users from uploading a .htaccess to disable your settings.

Regarding .htaccess, if you are on a VPS you don’t really need them. I would suggest not allowing them on the entire site, and setting all the config options in the vhost file.

Here’s the problem …

If I put the following in an otherwise empty .htaccess my site
http://nevils-station.com
won’t load unless I manually add “index.html” to the URL.

SetHandler default-handler

What am I missing, please?

Thanks!